IPv4 Access Control Lists (ACLs)
IPv4 Static ACL Operation
IPv4 Static ACL Operation
Introduction
An ACL is a list of one or more Access Control Entries (ACEs), where each
ACE consists of a matching criteria and an action (permit or deny). A static
ACL applies only to the switch in which it is configured. ACLs operate on
assigned interfaces, and offer these traffic filtering options:
■ IPv4 traffic inbound on a port.
The following table lists the range of interface options:
Interface ACL Application Application Point Filter Action
Port Static Port ACL
(switch configured)
inbound on the switch port inbound IPv4 traffic
Dynamic Port ACL
1
inbound on the switch port inbound IPv4 traffic from the
(RADIUS assigned) used by authenticated authenticated client
client
1
This chapter describes ACLs statically configured on the switch. For information on dynamic
port ACLs assigned by a RADIUS server, refer to chapter 6, “Configuring RADIUS Server
Support for Switch Services”.
Note After you assign an IPv4 ACL to an interface, the default action on the interface
is to implicitly deny IPv4 traffic that is not specifically permitted by the ACL.
(This applies only in the direction of traffic flow filtered by the ACL.)
The Packet-filtering Process
Sequential Comparison and Action. When an ACL filters a packet, it
sequentially compares each ACE’s filtering criteria to the corresponding data
in the packet until it finds a match. The action indicated by the matching ACE
(deny or permit) is then performed on the packet.
Implicit Deny. If a packet does not have a match with the criteria in any of
the ACEs in the ACL, the ACL denies (drops) the packet. If you need to
override the implicit deny so that a packet that does not have a match will be
permitted, then you can use the “permit any” option as the last ACE in the
9-20
