Access Control Lists (ACLs) for the Series 5300xl Switches
Configuring and Assigning an ACL
In Any ACL, There Will Always Be a Match
As indicated in figure 9-10, the switch automatically uses an implicit “deny IP
any” (Standard ACL) or “deny IP any any” (Extended ACL) as the last ACE in
any ACL. This means that if you configure the switch to use an ACL for filtering
either inbound or outbound traffic on a VLAN, any packets not specifically
permitted or denied by the explicit entries you create will be denied by the
implicit “deny” action. Note that if you want to preempt the implicit “deny”
action, insert an explicit permit any or permit ip any any as the last line of the
ACL.
A Configured ACL Has No Effect Until You Apply It to an
Interface
The switch stores ACLs in the configuration file. Thus, until you actually assign
an ACL to a VLAN interface, it is present in the configuration, but not used.
You Can Assign an ACL Name or Number to a VLAN Even if
the ACL Does Not Yet Exist in the Switch’s Configuration
In this case, if you subsequently create an ACL with that name or number, the
switch automatically applies each ACE as soon as you enter it in the running-
config file. Similarly, if you modify an existing ACE in an ACL you already
applied to a VLAN, the switch automatically implements the new ACE as soon
as you enter it. (See
“General ACL Operating Notes” on page 9-63.) The switch
allows a maximum of 255 ACLs in any combination of numeric and alphanu-
meric names, and determines the total from the number of unique ACL names
in the configuration. For example, if you configure two ACLs, but assign only
one of them to a VLAN, the ACL total is two, for the two unique ACL names.
If you then assign the name of a nonexistent ACL to a VLAN, the new ACL total
is three, because the switch now has three unique ACL names in its configu-
ration.
Using the CLI To Create an ACL
Command Page
access-list (standard ACLs) 9-33
access-list (extended ACLs) 9-38
ip access-list (named ACLs) 9-44
9-31
To Next Page
Loading...
