Access Control List
In this chapter
This chapter describes the IP Access Control List (ACL) feature, which enables you to filter traffic
based on the information in the IP packet header. For details on Layer 2 ACLs, refer to
ACLs"
You can use IP ACLs to provide input to other features such as route maps, distribution lists, rate
limiting, and BGP. When you use an ACL this way, use permit statements in the ACL to specify the
traffic that you want to send to the other feature. If you use deny statements, the traffic specified
by the deny statements is not supplied to the other feature. Also, if you use an ACL in a route map
and you use a wildcard character as the source IP address, make sure you apply the route map to
interfaces instead of globally, to prevent loops. See the chapters for a specific feature for
information on using ACLs as input to those features.
BigIron RX Series Configuration Guide
53-1001810-01
•
How the device processes ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
•
Disabling or re-enabling Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . 513
•
Default ACL action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
•
Types of IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
•
ACL IDs and entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
•
Enabling support for additional ACL statements. . . . . . . . . . . . . . . . . . . . . 514
•
ACL-based inbound mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
•
Configuring numbered and named ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
•
Displaying ACL definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
•
ACL logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
•
Modifying ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
•
Deleting ACL entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
•
Applying ACLs to interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
•
QoS options for IP ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
•
Enabling ACL duplication check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
•
ACL accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
•
Enabling ACL filtering of fragmented or non-fragmented packets . . . . . . . 557
•
ACL filtering for traffic switched within a virtual routing interface . . . . . . . 558
•
ICMP filtering for extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
•
Troubleshooting ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
on page 513.
Chapter
21
"Types of IP
511