IPv4 Access Control Lists (ACLs)
Terminology
the ACL. Doing so permits an inbound packet that is not explicitly permit-
ted or denied by other ACEs configured sequentially earlier in the ACL.
Unless otherwise noted, “implicit deny IP any” refers to the “deny” action
enforced by both standard and extended ACLs.
Inbound Traffic: For the purpose of defining where the switch applies ACLs
to filter traffic, inbound traffic is any IP packet that:
• Enters the switch through a physical port.
• Has a destination IP address (DA) that meets either of these criteria:
– The packet’s DA is for an external device.
– The packet’s DA is for an IP address configured on the switch
itself. (This increases your options for protecting the switch from
unauthorized management access.)
Because ACLs are assigned to physical ports or port trunks, an ACL that
filters inbound traffic on a particular port or trunk examines packets
meeting the above criteria that enter the switch through that port or trunk.
Outbound Traffic: This is any traffic leaving the switch through a physical
port or trunk. The switch does not apply ACLs to outbound traffic or
internally where routed traffic moves between VLANs. That is, ACL
operation is not affected by enabling or disabling routing on the switch.
(Refer also to “ACL Inbound Application Points” on page 9-10.)
Permit: An ACE configured with this action allows a port or trunk to permit
an inbound packet for which there is a match within an applicable ACL.
SA: The acronym for Source IP Address. In an IP packet, this is the source IP
address carried in the IP header, and identifies the packet’s sender. In an
extended ACE, this is the first of two IP addresses used by the ACE to
determine whether there is a match between a packet and the ACE. See
also “DA”.
Standard ACL: This type of Access Control List uses layer-3 IP criteria of
source IP address to determine whether there is a match with an inbound
IP packet. You can apply a standard ACL to inbound traffic on a port or
trunk, including any inbound traffic with a DA belonging to the switch
itself. Standard ACLs require an identification number (ID) in the range
of 1 - 99 or an alphanumeric name.
Wildcard: The part of a mask that indicates the bits in a packet’s IP addressing
that do not need to match the corresponding bits specified in an ACL. See
also ACL Mask on page 9-8.
9-9
To Next Page
Loading...
Need help?
General