Access Control Lists (ACLs) for the Series 5300xl Switches
Planning an ACL Application
Guidelines for Planning the Structure of an ACL
The first step in planning a specific ACL is to determine where you will apply
it. (Refer to “ACL Inbound and Outbound Application Points” on page 9-8.)
You must then determine the order in which you want the individual ACEs in
the ACL to filter traffic.
■ The first match dictates the action on a packet. Subsequent matches
are ignored.
■ On any ACL, the switch implicitly denies packets that are not explic-
itly permitted or denied by the ACEs configured in the ACL. If you
want the switch to forward a packet for which there is not a match in
an ACL, add the “permit IP any” function as the last ACE in an ACL.
This ensures that no packets reach the implicit “deny IP any” case.
■ Generally, you should list ACEs from the most specific (individual
hosts) to the most general (subnets or groups of subnets) unless doing
so permits traffic that you want dropped. For example, an ACE
allowing a small group of workstations to use a specialized printer
should occur earlier in an ACL than an entry used to block widespread
access to the same printer.
ACL Configuration and Operating Rules
■ Routing. Except for any IP traffic with a DA on the switch itself, ACLs
filter only routed traffic. Thus, if routing is not enabled on the switch,
there is no routed traffic for ACLs to filter. (To enable routing, execute
ip routing at the global configuration level.) For more on routing, refer
to the chapter titled “IP Routing Features” in this manual.
■ Per-Switch ACL Limits. At a minimum an ACL must have one,
explicit “permit” or “deny” Access Control Entry. You can configure
up to 255 ACL assignments to VLANs, as follows:
• Standard ACLs: Up to 99; numeric range: 1 - 99
• Extended ACLs: Up to 100; numeric range: 100 - 199
• Named (Extended or Standard) ACLs: Up to 255 (minus any numeric
ACL assignments)
• Total ACEs in all ACLs: 1024
■ Implicit “deny any”: In any ACL, the switch automatically applies
an implicit “deny IP any” that does not appear in show listings. This
means that the ACL denies any packet it encounters that does not
have a match with an entry in the ACL. Thus, if you want an ACL to
9-18
To Next Page
Loading...
