ACL configuration
This chapter includes these sections:
ACL overview
•
ACL configuration task list
•
Configuring an ACL
•
Configuring a time range
•
Configuring a basic ACL
•
•
Configuring an advanced ACL
Configuring an Ethernet frame header ACL
•
Configuring a start or end remark
•
•
Copying an ACL
Packet filtering with ACLs
•
•
Displaying and maintaining ACLs
ACL configuration examples
•
NOTE:
•
Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.
The Layer 3 Ethernet interface in this document refers to the Ethernet port that can perform IP routing and
•
inter-VLAN routing. You can set an Ethernet port as a Layer 3 Ethernet interface by using the port
link-mode route command (see the
ACL overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are primarily used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also used by many modules, for example, QoS and
IP routing, for traffic classification and identification.
ACL applications on the switch
An ACL is implemented in hardware or software, depending on the module that uses it. If the module, the
packet filter or QoS module for example, is implemented in hardware, the ACL is applied to hardware
to process traffic. If the module, the routing or user interface access control module (Telnet, SNMP, or web)
for example, is implemented in software, the ACL is applied to software to process traffic.
The user interface access control module denies packets that do not match any ACL. Some modules, QoS
for example, ignore the permit or deny action in ACL rules and do not base their drop or forwarding
decisions on the action set in ACL rules. See the specific module for information about ACL application.
Layer 2—LAN Switching Configuration Guide
1
).