Cisco SF500-24 Administration Manual page 479
Esw2 series advanced switches
Hide thumbs
Also See for SF500-24:
- Administration manual (477 pages) ,
- Quick start manual (72 pages) ,
- Quick start manual (25 pages)
Table of Contents
Advertisement
24
NOTE
NOTE
461
When a packet matches an ACE filter, the ACE action is taken and that ACL
processing is stopped. If the packet does not match the ACE filter, the next ACE is
processed. If all ACEs of an ACL have been processed without finding a match,
and if another ACL exists, it is processed in a similar manner.
If no match is found to any ACE in all relevant ACLs, the packet is dropped (as a
default action). Because of this default drop action you must explicitly add ACEs
into the ACL to permit the desired traffic, including management traffic, such as
Telnet, HTTP or SNMP that is directed to the device itself. For example, if you do not
want to discard all the packets that do not match the conditions in an ACL, you must
explicitly add a lowest priority ACE into the ACL that permits all the traffic.
If IGMP/MLD snooping is enabled on a port bound with an ACL, add ACE filters in
the ACL to forward IGMP/MLD packets to the device. Otherwise, IGMP/MLD
snooping fails at the port.
The order of the ACEs within the ACL is significant, since they are applied in a first-
fit manner. The ACEs are processed sequentially, starting with the first ACE.
ACLs can be used for security, for example by permitting or denying certain traffic
flows, and also for traffic classification and prioritization in the QoS Advanced
mode.
A port can be either secured with ACLs or configured with advanced QoS policy,
but not both.
There can only be one ACL per port, with the exception that it is possible to
associate both an IP-based ACL and an IPv6-based ACL with a single port.
To associate more than one ACL with a port, a policy with one or more class maps
must be used.
The following types of ACLs can be defined (depending on which part of the
frame header is examined):
•
MAC ACL—Examines Layer 2 fields only, as described in Defining MAC-
based ACLs
•
IP ACL—Examines the Layer 3 layer of IP frames, as described in IPv4-
based ACLs
•
IPv6 ACL—Examines the Layer 3 layer of IPv4 frames as described in
Defining IPv6-Based ACL
If a frame matches the filter in an ACL, it is defined as a flow with the name of that
ACL. In advanced QoS, these frames can be referred to using this Flow name, and
QoS can be applied to these frames (see
Cisco 500 Series Stackable Managed Switch Administration Guide Release 1.3
QoS Advanced
Mode).
Access Control
Access Control Lists
Hide quick links:
Advertisement
Table of Contents
