Rule-Based IP Access Control Lists (ACLs)
December 2005 © Foundry Networks, Inc. 12 - 3
the software takes the action specified in the ACL entry (permit or deny the packet) and stops further comparison
for that packet.
Numbered and Named ACLs
When you configure an ACL, you can refer to the ACL by a numeric ID or by an alphanumeric name. The
commands to configure numbered ACLs are different from the commands for named ACLs.
• Numbered ACL – If you refer to the ACL by a numeric ID, you can use 1 – 99 for a standard ACL or 100 –
199 for an extended ACL.
• Named ACL – If you refer to the ACL by a name, you specify whether the ACL is a standard ACL or an
extended ACL, then specify the name.
You can configure up to 99 standard numbered IP ACLs and 99 extended numbered IP ACLs. You also can
configure up to 99 standard named ACLs and 99 extended named ACLs by number. Regardless of how many
ACLs you have, the device can have a maximum of 1024 ACL entries, associated with the ACLs in any
combination.
Default ACL Action
The default action when no ACLs are configured on a device is to permit all traffic. However, once you configure
an ACL and apply it to a port, the default action for that port is to deny all traffic that is not explicitly permitted on
the port.
• If you want to tightly control access, configure ACLs consisting of permit entries for the access you want to
permit. The ACLs implicitly deny all other access.
• If you want to secure access in environments with many users, you might want to configure ACLs that consist
of explicit deny entries, then add an entry to permit all access to the end of each ACL. The software permits
packets that are not denied by the deny entries.
NOTE: Do not apply an empty ACL (an ACL ID without any corresponding entries) to an interface. If you
accidentally do this, the software applies the default ACL action, deny all, to the interface and thus denies all
traffic.
How Hardware-Based ACLs Work
When you bind an ACL to inbound traffic on an interface, the device programs the Layer 4 CAM with the ACL.
Permit and deny rules are programmed. Most ACL rules require one Layer 4 CAM entry. However, ACL rules that
match on more than one TCP or UDP application port may require several CAM entries. The Layer 4 CAM entries
for ACLs do not age out. They remain in the CAM until you remove the ACL.
• If a packet received on the interface matches an ACL rule in the Layer 4 CAM, the device permits or denies
the packet according to the ACL.
• If a packet does not match an ACL rule, the packet is dropped, since the default action on an interface that
has ACLs is to deny the packet.
How Fragmented Packets are Processed
The descriptions above apply to non-fragmented packets. The default processing of fragments by hardware-
based ACLs is as follows:
• The first fragment of a packet is permitted or denied using the ACLs. The first fragment is handled the same
way as non-fragmented packets, since the first fragment contains the Layer 4 source and destination
application port numbers. The device uses the Layer 4 CAM entry if one is programmed, or applies the
interface's ACL entries to the packet and permits or denies the packet according to the first matching ACL.
• For other fragments of the same packet, they are subject to a rule only if there is no Layer 4 information in the
rule or in any preceding rules.
To Next Page
Loading...
Need help?
General
