Table of Contents
Advertisement
Configuring ACL Masks
You must specify masks that control the order in which ACL rules are checked. The
switch includes two system default masks that pass/filter packets matching the
permit/deny rules specified in an ingress ACL. You can also configure up to seven
user-defined masks for an ingress or egress ACL. A mask must be bound
exclusively to one of the basic ACL types (i.e., Ingress IP ACL, Egress IP ACL,
Ingress MAC ACL or Egress MAC ACL), but a mask can be bound to up to four
ACLs of the same type.
Command Usage
• Up to seven entries can be assigned to an ACL mask.
• Packets crossing a port are checked against all the rules in the ACL until a match
is found. The order in which these packets are checked is determined by the mask,
and not the order in which the ACL rules are entered.
• First create the required ACLs and the ingress or egress masks before mapping an
ACL to an interface.
• You must configure a mask for an ACL rule before you can bind it to a port or set
the queue or frame priorities associated with the rule.
Specifying the Mask Type
Use the ACL Mask Configuration page to edit the mask for the Ingress IP ACL,
Egress IP ACL, Ingress MAC ACL or Egress MAC ACL.
Web – Click Security, ACL, Mask Configuration. Click Edit for one of the basic mask
types to open the configuration page.
CLI – This example creates an IP ingress mask, and then adds two rules. Each rule
is checked in order of precedence to look for a match in the ACL entries. The first
entry matching a mask is applied to the inbound packet.
Console(config)#access-list ip mask-precedence in
Console(config-ip-mask-acl)#mask host any
Console(config-ip-mask-acl)#mask 255.255.255.0 any
Console(config-ip-mask-acl)#
Figure 3-48 Selecting ACL Mask Types
Access Control Lists
4-93
4-93
3
3-83
Advertisement
Table of Contents
