IPv4 Access Control Lists (ACLs)
Configuring and Assigning an ACL
Table 9-6. Effect of the ACL in Figure 9-12 on Inbound Traffic on the Assigned Port
Line # Action
1 Shows list type (extended) and ID (101).
2 A packet from IP source address 10.28.235.10 will be denied (dropped). This line filters out all packets received
from 10.28.235.10. As a result, IP traffic from that device will not be routed or switched, and packets from that
device will not be compared against any later entries in the list.
3 A packet from IP source 10.28.245.89 will be denied (dropped). This line filters out all packets received from
10.28.245.89. As the result, IP traffic from that device will not be routed or switched and packets from that device
will not be compared against any later entries in the list.
4 A packet from TCP source address 10.28.18.100 with a destination address of 10.28.237.1 will be permitted
(forwarded). Since no earlier lines in the list have filtered TCP packets from 10.28.18.100 and destined for
10.28.237.1, the switch will use this line to evaluate such packets. Any packets that meet this criteria will be
forwarded. (Any packets that do not meet this TCP source-destination criteria are not affected by this line.)
5 A packet from TCP source address 10.28.18.100 to any destination address will be denied (dropped). Since, in
this example, the intent is to block TCP traffic from 10.28.18.100 to any destination except the destination stated
in line 4, this line must follow line 4. (If their relative positions were exchanged, all TCP traffic from 10.28.18.100
would be dropped, including the traffic for the 10.28.18.1 destination.)
6 Any packet from any IP source address to any destination address will be permitted (forwarded). The only
traffic to reach this line will be IP packets not specifically permitted or denied in the earlier lines.
n/a The “implicit deny any any” is a function automatically added as the last action in all ACLs. It denies (drops)
any IP traffic from any source to any destination that has not found a match with earlier entries in the list. In
this example, line 6 permits (forwards) any IP traffic not already permitted or denied by the earlier entries in
the list, so there is no traffic remaining for action by the “implicit deny any any” function.
7 Indicates the end of the ACL.
In Any ACL, There Will Always Be a Match
As indicated in figure 9-12, the switch automatically uses an implicit “deny IP
any” (Standard ACL) or “deny any” (Extended ACL) as the last ACE in any
ACL. This means that if you configure the switch to use an ACL for filtering
inbound traffic, any packets not specifically permitted or denied by the
explicit entries you create will be denied by the implicit “deny” action. Note
that if you want to preempt the implicit “deny” action, insert an explicit permit
any or permit ip any any as the last line of the ACL.
A Configured ACL Has No Effect Until You
Apply It to an Interface
The switch stores ACLs in the configuration file. Thus, until you actually assign
an ACL to an interface, it is present in the configuration, but not used.
9-38
To Next Page
Loading...
Need help?
General