Access Control Lists (ACLs) for the Series 5300xl Switches
ACL Operation
The Packet-Filtering Process
Sequential Comparison and Action. When the switch uses an ACL to fil-
ter a packet, it sequentially compares each ACE’s filtering criteria to the
corresponding data in the packet until it finds a match.
For a packet with a source IP address of
18.28.156.3, the switch:
1. Compares the packet to this ACE first.
2. Since there is not a match with the first
ACE, the switch then compares the
packet to the second ACE, where there
is also not a match.
3. The switch compares the packet to the
third ACE. There is a match because
the 0.0.0.15 mask includes the source
IP address. The then switch denies
(drops) the packet.
4. The packet is not compared to the
fourth ACE.
Figure 9-2. Example of Sequential Comparison
That is, the switch tries the first ACE in the list. If there is not a match, it tries
the second ACE, and so on. When a match is found, the switch invokes the
configured action for that entry (permit or drop the packet) and no further
comparisons of the packet are made with the remaining ACEs in the ACL. This
means that when the switch finds an ACE whose criteria matches a packet, it
invokes the action configured for that ACE, and any remaining ACEs in the
ACL are ignored. Because of this sequential processing, successfully imple-
menting an ACL depends in part on configuring ACEs in the correct order
for the overall policy you want the ACL to enforce.
Implicit Deny. If a packet does not have a match with the criteria in any of
the ACEs in the ACL, the switch denies (drops) the packet. (This is termed
implicit deny.) If you need to override the implicit deny so that any packet
that does not have a match will be permitted, then you can enter permit any as
the last ACE in the ACL. This directs the switch to permit (forward) any
packets that do not have a match with any earlier ACE listed in the ACL, and
prevents these packets from being filtered by the implicit deny.
9-13
To Next Page
Loading...
