Access Control
Overview
Cisco Sx350, SG350X, SG350XG, Sx550X & SG550XG Series Managed Switches, Firmware Release 2.2.5.x 572
26
Up to 256 ACEs can be configured on a single port or in a single ACL.
When a packet matches an ACE filter, the ACE action is taken and that ACL processing is
stopped. If the packet does not match the ACE filter, the next ACE is processed. If all ACEs of
an ACL have been processed without finding a match, and if another ACL exists, it is
processed in a similar manner.
NOTE If no match is found to any ACE in all relevant ACLs, the packet is dropped (as a default
action). Because of this default drop action you must explicitly add ACEs into the ACL to
permit the desired traffic, including management traffic, such as Telnet, HTTP or SNMP that is
directed to the device itself. For example, if you do not want to discard all the packets that do
not match the conditions in an ACL, you must explicitly add a lowest priority ACE into the
ACL that permits all the traffic.
If IGMP/MLD snooping is enabled on a port bound with an ACL, add ACE filters in the ACL
to forward IGMP/MLD packets to the device. Otherwise, IGMP/MLD snooping fails at the
port.
The order of the ACEs within the ACL is significant, since they are applied in a first-fit
manner. The ACEs are processed sequentially, starting with the first ACE.
ACLs can be used for security, for example by permitting or denying certain traffic flows, and
also for traffic classification and prioritization in the QoS Advanced mode.
NOTE A port can be either secured with ACLs or configured with advanced QoS policy, but not both.
There can only be one ACL per port, with the exception that it is possible to associate both an
IP-based ACL and an IPv6-based ACL with a single port.
To associate more than one ACL with a port, a policy with one or more class maps must be
used.
The following types of ACLs can be defined (depending on which part of the frame header is
examined):
• MAC ACL—Examines Layer 2 fields only, as described in Defining MAC-based
ACLs
• IP ACL—Examines the Layer 3 layer of IP frames, as described in IPv4-based ACLs
Sx550X 3K 3K
SG350XG 2K 2K
SG350 and Sx350 1K 1K
Device Max ACLs Max ACEs
To Next Page
Loading...
