Access List Rules - Cisco Catalyst 2960 series Configuration Manual
Consolidated platform configuration guide, ios release 15.2(4)e
Hide thumbs
Also See for Catalyst 2960 series:
- Software configuration manual (980 pages) ,
- Command reference manual (800 pages) ,
- Configuration manual (120 pages)
Table of Contents
Advertisement
Information About Access Control Lists
Access List Rules
The following rules apply to access control lists (ACLs):
• Only one access list per interface, per protocol, and per direction is allowed.
• An access list must contain at least one permit statement or all packets are denied entry into the network.
• The order in which access list conditions or match criteria are configured is important. While deciding
whether to forward or block a packet, Cisco software tests the packet against each criteria statement in
the order in which these statements are created. After a match is found, no more criteria statements are
checked. The same permit or deny statements specified in a different order can result in a packet being
passed under one circumstance and denied in another circumstance.
• If an access list is referenced by a name, but the access list does not exist, all packets pass. An interface
or command with an empty access list applied to it permits all traffic into the network.
• Standard access lists and extended access lists cannot have the same name.
• Inbound access lists process packets before packets are routed to an outbound interface. Inbound access
lists that have filtering criteria that deny packet access to a network saves the overhead of a route lookup.
Packets that are permitted access to a network based on the configured filtering criteria are processed
for routing. For inbound access lists, when you configure a permit statement, packets are processed
after they are received, and when you configure a deny statement, packets are discarded.
• Outbound access lists process packets before they leave the device. Incoming packets are routed to the
outbound interface and then processed by the outbound access list. For outbound access lists, when you
configure a permit statement, packets are sent to the output buffer, and when you configure a deny
statement, packets are discarded.
Note
• An access list can control traffic arriving at a device or leaving a device, but not traffic originating at a
device.
Helpful Hints for Creating IP Access Lists
The following tips will help you avoid unintended consequences and help you create more efficient access
lists.
• Create the access list before applying it to an interface (or elsewhere), because if you apply a nonexistent
access list to an interface and then proceed to configure the access list, the first statement is put into
effect, and the implicit deny statement that follows could cause you immediate access problems.
• Another reason to configure an access list before applying it is because an interface with an empty access
list applied to it permits all traffic.
• All access lists need at least one permit statement; otherwise, all packets are denied and no traffic passes.
• Because the software stops testing conditions after it encounters the first match (to either a permit or
deny statement), you will reduce processing time and resources if you put the statements that packets
are most likely to match at the beginning of the access list. Place more frequently occurring conditions
before less frequent conditions.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
1164
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
