IPv4 Access Control Lists (ACLs)
Overview
9-14
Overview
Types of IPv4 ACLs
A permit or deny policy for IPv4 traffic you want to filter can be based on
source address alone, or on source address plus other factors.
Standard ACL: Use a standard ACL when you need to permit or deny IPv4
traffic based on source address only. Standard ACLs are also useful when you
need to quickly control a performance problem by limiting IPv4 traffic from a
subnet, group of devices, or a single device. (This can block all IPv4 traffic
from the configured source, but does not hamper IPv4 traffic from other
sources within the network.) A standard ACL uses an alphanumeric ID string
or a numeric ID of 1 through 99. You can specify a single host, a finite group
of hosts, or any host.
Extended ACL: Use an extended ACL when simple IPv4 source address
restrictions do not provide the sufficient traffic selection criteria needed on
an interface. Extended ACLs allow use of the following criteria:
■
source and destination IPv4 address combinations
IP protocol options
■
Extended, named ACLs also offer an option to permit or deny IPv4 connec
tions using TCP for applications such as Telnet, http, ftp, and others.
ACL Applications
ACL filtering is applied to IPv4 traffic as follows:
Static port ACL: any inbound IPv4 traffic on that port.
■
■
Dynamic port ACL: on a port having an ACL assigned by a RADIUS
server to filter an authenticated client's traffic, filters inbound IPv4
traffic from that client
(For information on RADIUS-assigned ACLs, refer to chapter 6
"Configuring RADIUS Server Support for Switch Services".)