10-47
IPv4 Access Control Lists (ACLs)
Configuring and Assigning an IPv4 ACL
Allowing for the Implied Deny Function 
In any ACL having one or more ACEs there will always be a packet match. 
This is because the switch automatically applies an Implicit Deny as the last 
ACE in any ACL. This function is not visible in ACL listings, but is always 
present. (Refer to figure 10-13.) This means that if you configure the switch to 
use an ACL for filtering either inbound or outbound IPv4 traffic on a VLAN, 
any packets not specifically permitted or denied by the explicit entries you 
create will be denied by the Implicit Deny action. If you want to preempt the 
Implicit Deny (so that IPv4 traffic not specifically addressed by earlier ACEs 
in a given ACL will be permitted), insert an explicit permit any (for standard 
ACLs) or permit ip any any (for extended ACLs) as the last explicit ACE in the 
ACL.
A Configured ACL Has No Effect Until You Apply It 
to an Interface
The switch stores ACLs in the configuration file. Thus, until you actually assign 
an ACL to an interface, it is present in the configuration, but not used (and 
does not use any of the monitored resources described in the appendix titled 
“Monitored Resources” in the Management and Configuration Guide for 
your switch.)
You Can Assign an ACL Name or Number to an Interface
Even if the ACL Does Not Exist in the Switch’s Configuration
In this case, if you subsequently create an ACL with that name or number, the 
switch automatically applies each ACE as soon as you enter it in the running-
config file. Similarly, if you modify an existing ACE in an ACL you already 
applied to an interface, the switch automatically implements the new ACE as 
soon as you enter it. (See “” on page 10-128.) The switch allows up to 2048 
ACLs each for IPv4 and determines the total from the number of unique ACL 
names in the configuration.For example, if you configure two ACLs, but assign 
only one of them to a VLAN, the ACL total is two, for the two unique ACL 
names. If you then assign the name of a nonexistent ACL to a VLAN, the new 
ACL total is three, because the switch now has three unique ACL names in its 
configuration. (RADIUS-based ACL resources are drawn from the IPv4 allo-
cation). 
(For information on switch resource use, refer to “Monitoring Shared 
Resources” on page 10-129. For a summary of ACL resource limits, refer to 
the appendix covering scalability in the latest Management and Configura-
tion Guide for your switch.)