IPv4 Access Control Lists (ACLs)
Planning an ACL Application
Overriding the Implicit “Deny Any”. If you want an ACL to permit any
inbound packets that are not explicitly denied by other entries in the ACL, you
can do so by configuring a permit any entry as the last entry in the ACL. Doing
so permits any packet not explicitly denied by earlier entries. (On extended
ACLs, you must configure permit ip any any.)
Planning an ACL Application
Before creating and implementing ACLs, you should understand the switch
resources available to support ACL operation, define the policies you want
your ACLs to enforce, and understand how your ACLs will impact your
network users.
Switch Resource Usage
ACLs load resources in ways that require more careful attention to resource
usage when planning a configuration using these features. Otherwise, there is
an increased possibility of fully consuming some resources, which means that
at some point the switch would not support further ACL configurations. This
section describes resource planning for ACLs on your switch.
Prioritizing and Monitoring ACL and QoS, Feature Usage
If you want to configure ACLs on your switch, plan and implement your
configuration in descending order of feature importance. This will help to
ensure that the most important features are configured first. Also, if insuffi-
cient resources become a problem, this approach can help you recognize how
to distribute the desired feature implementations across multiple switches to
achieve your objectives.
ACL Resource Usage and Monitoring
ACL configurations use internal rules on a per-device basis. There are 128 rules
available for configuring ACLs with the CLI and 128 rules available for config-
uring ACLs with IDM. You can apply a CLI ACL and IDM ACL on the same port
at the same time.
The switch uses resources required by the ACEs in an ACL when you apply
the ACL to one or more port and/or static trunk interfaces.
9-17
To Next Page
Loading...
Need help?
General