ACL Configuration Overview
24-2 Configuring Access Control Lists
– Inserting a new ACL rule entry into an ACL
– Moving an ACL rule to a new location in an ACL
• Apply the ACL to VLAN interfaces, to ports, or to Link Aggregation ports.
ACL Configuration Overview
This section describes ACL creation, rule entry, and application of the ACL to a port or routing
VLAN required to implement an ACL, as well as, the features available for managing ACL rules
and displaying ACLs.
Creating IPv4 ACLs
There are two types of IPv4 ACLs: standard and extended. The type of ACL you need depends
exclusively upon the packet field(s) that will generate a hit for the rules specified in the ACL. For a
standard ACL, only the source IP address is configurable. For an extended ACL, the protocol,
source IP address, destination IP address, IP precedence, TOS or DSCP values, and in the case of
the TCP or UDP protocols, matching source and destination ports are configurable.
IPv4 ACLs are identified by number only. Standard IPv4 ACL numbers range from 1 to 99.
Extended IPv4 ACL numbers range from 100 to 199.
Once you have determined the appropriate ACL type, use the access-list command in router
global configuration mode to create the list, specifying the number for the access control list, and
the rule you want to add to the list.
IPv4 standard and extended access control lists are applied to VLAN interfaces by using the
ip
access-group command and to ports with the access-list interface command.
Creating IPv6 and MAC ACLs
In order to configure IPv6 or MAC ACLs, the switch must be put into access list “ipv6mode” with
the access-list ipv6mode command. By default, this mode is disabled and the rule limits for
standard and extended IPv4 ACLs remain unchanged.
When ipv6mode is disabled, IPv6 and MAC ACLs cannot be configured, and any existing IPv6
and MAC ACLs are removed from the configuration. The ipv6mode cannot be enabled if Policy is
configured on the switch, and Policy configurations will not be accepted when the switch is in
ipv6mode.
When ipv6mode is enabled or disabled, a system reset is required to change the mode. The
configuration of ipv6mode is persistent and is shown in the running configuration.
After ipv6mode is enabled, IPv6 ACLs are created and configured in router global configuration
mode with the access-list ipv6 command, specifying the name of the access control list and the
rule you want to add to the list. IPv6 rules can be based on protocol, IPv6 source and destination
addresses, layer 4 port, DSCP value, and Flow Label value.
IPv6 access control lists are applied to VLAN interfaces by using the
ipv6 access-group command
and to ports with the access-list interface command.
MAC ACLs are created and configured in router global configuration mode with the access-list
mac command, specifying the name of the access control list and the rule you want to add to the
list. MAC rules can be based on source and destination MAC addresses as well as Ether type,
VLAN tag, and priority tag values.
MAC access control lists are applied to VLAN interfaces by using the
ip access-group command
and to ports with the access-list interface command.
To Next Page
Loading...
Need help?
General