IP Access Control Lists (ACL), Prefix Lists, and
Route-maps
IP Access Control Lists, Prefix Lists, and Route-maps
Ingress IP ACLs are supported on platforms:
Egress IP ACLs are supported on platform:
Overview
At their simplest, Access Control Lists (ACLs), Prefix lists, and Route-maps permit or deny traffic based
on MAC and/or IP addresses. This chapter discusses implementing IP ACLs, IP Prefix lists and
Route-maps. For MAC ACLS, refer to the Access Control Lists (ACLs) chapter in the FTOS Command
Line Reference Guide.
An ACL is essentially a filter containing some criteria to match (examine IP, TCP, or UDP packets) and an
action to take (permit or deny). ACLs are processed in sequence so that if a packet does not match the
criterion in the first filter, the second filter (if configured) is applied. When a packet matches a filter, the
switch drops or forwards the packet based on the filter's specified action. If the packet does not match any
of the filters in the ACL, the packet is dropped ( implicit deny).
The number of ACLs supported on a system depends on your CAM size. See
Allocation, and CAM Optimization
Addressable Memory, on page 281
This chapter covers the following topics:
•
IP Access Control Lists (ACLs) on page 134
•
CAM Profiling, CAM Allocation, and CAM Optimization on page 134
•
Implementing ACLs on FTOS on page 137
•
IP Fragment Handling on page 138
•
Configure a standard IP ACL on page 140
•
Configure an extended IP ACL on page 143
•
Configuring Layer 2 and Layer 3 ACLs on an Interface on page 146
are supported on platforms:
c e s
e
in this chapter for more information. Refer to
for complete CAM profiling information.
IP Access Control Lists (ACL), Prefix Lists, and Route-maps | 133
8
c e s
CAM Profiling, CAM
Chapter 11, Content