Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Planning an ACL Application on a Series 3400cl or Series 6400cl Switch
Standard ACLs:
■ Each ACE, including the implicit deny any ACE in a standard ACL,
uses one port rule.
■ Contiguous ACE entries with the same subnet mask use the same port
mask. Contiguous ACE entries with different subnet masks use one
port mask per entry. To conserve ACL mask resources, group ACEs
with identical subnet masks together. For example:
Table 10-2.Minimizing Per-Port Mask Usage
Contiguous ACEs with the Same Subnet
Mask
Contiguous ACEs with Different Subnet
Masks
The ACEs in this sequence use two port
masks because entries with identical
subnet masks are contiguous. This method
optimizes the capacity of an ACL to accept
ACEs requiring different port masks
because it minimizes port mask usage.
15.28.247.1/24
15.28.253.1/24
10.0.8.0/32
10.0.8.105/32
(15.28.247.1 255.255.255.0)
(15.28.253.1 255.255.255.0)
(10.0.8.0 0.0.0.0)
(10.0.8.0 0.0.0.0)
This sequence uses the same entries as the
column to the left, but each consecutive
entry has a subnet mask that differs from
its predecessor, and requires four port
masks. This method of ordering ACEs
unnecessarily consumes port masks and
reduces the capacity of an ACL to accept
ACEs requiring different port masks.
15.28.247.1/24
10.0.8.0/32
15.28.253.1/24
10.0.8.105/32
(15.28.247.1 255.255.255.0)
(10.0.8.0 0.0.0.0)
(15.28.253.1 255.255.255.0)
(10.0.8.0 0.0.0.0)
■ An ACL with no ACEs except a permit any or a deny any uses only one
rule and one mask because the IP address and subnet mask are dupli-
cates of the IP address and subnet mask used for the implicit deny any
ACE that the switch automatically includes at the end of each ACL.
Table 10-3 on page 10-19 summarizes switch use of resources to support ACES.
Extended ACLs:
■ Each ACE, including the implicit deny ip any any ACE in an extended
ACL uses one port rule.
■ Contiguous ACE entries with the same subnet mask and the same IP
or TCP/UDP protocol applications use the same port mask. Contig-
uous ACE entries with different subnet masks or different IP-TCP/
UDP applications use one port mask per entry. To conserve ACL mask
resources, group ACEs with identical subnet masks and IP or TCP/
UDP applications together. (The effect of this grouping is the same as
above for the standard ACLs, but with more elements to consider.)
■ An extended ACL with no ACEs except a permit ip any any or deny ip
any any uses one rule and one mask. This is because the IP address
10-18
To Next Page
Loading...
