24-Port Fast Ethernet Switch Management Guide
C
OMMAND
L
INE
I
NTERFACE
4-121
• Egress MAC ACLs only work for destination-mac-known packets, not for
multicast, broadcast, or destination-mac-unknown packets.
The order in which active ACLs are checked is as follows:
1. User-defined rules in the Egress MAC ACL for egress ports.
2. User-defined rules in the Egress IP ACL for egress ports.
3. User-defined rules in the Ingress MAC ACL for ingress ports.
4. User-defined rules in the Ingress IP ACL for ingress ports.
5. Explicit default rule (permit any any) in the ingress IP ACL for ingress
ports.
6. Explicit default rule (permit any any) in the ingress MAC ACL for ingress
ports.
7. If no explicit rule is matched, the implicit default is permit all.
Masks for Access Control Lists
You must specify masks that control the order in which ACL rules are
checked. The switch includes two system default masks that pass/filter
packets matching the permit/deny the rules specified in an ingress ACL. You
can also configure up to seven user-defined masks for an ACL. A mask must
be bound exclusively to one of the basic ACL types (i.e., Ingress IP ACL,
Egress IP ACL, Ingress MAC ACL or Egress MAC ACL), but a mask can be
bound to up to four ACLs of the same type.
Table 4-35 Access Control List Commands
Command Groups Function Page
IP ACLs Configures ACLs based on IP addresses, TCP/UDP
port number, protocol type, and TCP control code
4-122
MAC ACLs Configures ACLs based on hardware addresses, packet
format, and Ethernet type
4-138
ACL Information Displays ACLs and associated rules; shows ACLs
assigned to each port
4-150