EasyManua.ls Logo

Cisco 500 Series - Page 583

Cisco 500 Series
653 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
Access Control
Access Control Lists
581 Cisco 500 Series Stackable Managed Switch Administration Guide
27
When a packet matches an ACE filter, the ACE action is taken and that ACL
processing is stopped. If the packet does not match the ACE filter, the next ACE is
processed. If all ACEs of an ACL have been processed without finding a match,
and if another ACL exists, it is processed in a similar manner.
NOTE If no match is found to any ACE in all relevant ACLs, the packet is dropped (as a
default action). Because of this default drop action you must explicitly add ACEs
into the ACL to permit the desired traffic, including management traffic, such as
Telnet, HTTP or SNMP that is directed to the device itself. For example, if you do not
want to discard all the packets that do not match the conditions in an ACL, you must
explicitly add a lowest priority ACE into the ACL that permits all the traffic.
If IGMP/MLD snooping is enabled on a port bound with an ACL, add ACE filters in
the ACL to forward IGMP/MLD packets to the device. Otherwise, IGMP/MLD
snooping fails at the port.
The order of the ACEs within the ACL is significant, since they are applied in a first-
fit manner. The ACEs are processed sequentially, starting with the first ACE.
ACLs can be used for security, for example by permitting or denying certain traffic
flows, and also for traffic classification and prioritization in the QoS Advanced
mode.
NOTE A port can be either secured with ACLs or configured with advanced QoS policy,
but not both.
There can only be one ACL per port, with the exception that it is possible to
associate both an IP-based ACL and an IPv6-based ACL with a single port.
To associate more than one ACL with a port, a policy with one or more class maps
must be used.
The following types of ACLs can be defined (depending on which part of the
frame header is examined):
MAC ACL—Examines Layer 2 fields only, as described in Defining MAC-
based ACLs
IP ACL—Examines the Layer 3 layer of IP frames, as described in IPv4-
based ACLs
IPv6 ACL—Examines the Layer 3 layer of IPv4 frames as described in
Defining IPv6-Based ACL
If a frame matches the filter in an ACL, it is defined as a flow with the name of that
ACL. In advanced QoS, these frames can be referred to using this Flow name, and
QoS can be applied to these frames.

Table of Contents

Other manuals for Cisco 500 Series

Preview: Quick Start Guide
Quick Start Guide72 pages
Preview: User Guide
User Guide6 pages
Preview: Troubleshooting And Maintenance
Troubleshooting And Maintenance14 pages
Preview: Safety Information
Safety Information42 pages
Preview: Datasheet
Datasheet5 pages
Preview: Quick Reference Guide
Quick Reference Guide7 pages
Preview: Quick Start Quide
Quick Start Quide12 pages

Related product manuals