Product guide
10-30
Access Control Lists (ACLs)
Planning an ACL Application
It is important to remember that all ACLs configurable on the switch include
an implicit deny ip any any. That is, IP packets that the ACL does not explicitly
permit or deny will be implicitly denied, and therefore dropped instead of
forwarded on the interface. If you want to preempt the implicit deny so that
packets not explicitly denied by other ACEs in the ACL will be permitted,
insert an explicit “permit any” as the last ACE in the ACL. Doing so permits
any packet not explicitly denied by earlier entries. (Note that this solution
does not apply in the preceding example, where the intention is for the switch
to forward only explicitly permitted packets routed on VLAN 12.
Planning an ACL Application
Before creating and implementing ACLs, you need to define the policies you
want your ACLs to enforce, and understand how the ACL assignments will
impact your network users.
Note All IP traffic entering the switch on a given interface is filtered by all ACLs
configured for inbound traffic on that interface. For this reason, an inbound
packet will be denied (dropped) if it has a match with either an implicit or
explicit deny in any of the inbound ACLs applied to the interface. (This does
not apply to IP traffic leaving the switch because only one type of ACL—an
RACL—can be applied, and only to routed IP traffic.)
(Refer to “Multiple ACLs on an Interface” on page 10-20.)
IP Traffic Management and Improved Network
Performance
You can use ACLs to block IP traffic from individual hosts, workgroups, or
subnets, and to block access to VLANs, subnets, devices, and services. Traffic
criteria for ACLs include:
■ Switched and/or routed IP traffic
■ Any IP traffic of a specific protocol type (0-255)