IPv4 Access Control Lists (ACLs)
Planning an ACL Application
Rule Usage
■ There is only one implicit “deny any” entry per device for CLI ACLs,
and one implicit “deny any” entry per device for IDM ACLs.
■ The implicit “deny any” entry is created only the first time an ACL is
applied to a port. After that the port-map is updated for that “deny
any” entry to include or remove additional ports.
■ Each ACE, including the implicit deny any ACE in a standard ACL,
uses one rule.
■ There is a separate rule for every ACE whether the ACE uses the same
mask or a new mask.
■ Two hardware rules are used for any “permit” ACE with TCP or UDP
specified. One rule is for normal packets and one is for fragmented
packets.
Table 9-2 on page 9-18 summarizes switch use of resources to support ACES.
Table 9-2. ACL Rule and Mask Resource Usage
ACE Type Rule Usage
Standard ACLs
Implicit deny any (automatically included in any standard ACL, but not displayed by show access- 1
list < acl-# > command).
First ACE entered 1
Next ACE entered with same ACL mask 1
Next ACE entered with a different ACL mask 1
Closing ACL with a deny any or permit any ACE having the same ACL mask as the preceding ACE 1
Closing ACL with a deny any or permit any ACE having a different ACL mask than the preceding ACE 1
Extended ACLs
Implicit deny ip any (automatically included in any standard ACL, but not displayed by show access- 1
list < acl-# > command).
First ACE entered 1
Next ACE entered with same SA/DA ACL mask and same IP or TCP/UDP protocols specified 2
Next ACE entered with any of the following differences from preceding ACE in the list: 1
– Different SA or DA ACL mask
– Different protocol (IP as opposed to TCP/UDP) specified in either the SA or DA
Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an IP ACE with the 1
same SA and DA ACL masks
Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an IP ACE with different 1
SA and/or DA ACL masks
9-18
To Next Page
Loading...
Need help?
General