Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Planning an ACL Application on a Series 3400cl or Series 6400cl Switch
ACL Configuration and Operating Rules
■ Per-Interface ACL Limits. At a minimum an ACL must have one,
explicit “permit” or “deny” Access Control Entry. You can assign one
ACL per interface, as follows:
• Standard ACLs—Numeric range: 1 - 99
• Extended ACLs—Numeric range: 100 - 199
• Named (Extended or Standard) ACLs: Up to the maximum number of
ports on the switch (minus any numeric ACL assignments)
■ Implicit “deny any”: In any ACL, the switch automatically applies
an implicit “deny IP any” that does not appear in show listings. This
means that the ACL denies any packet it encounters that does not
have a match with an entry in the ACL. Thus, if you want an ACL to
permit any packets that you have not expressly denied, you must enter
a permit any or permit ip any any as the last visible ACE in an ACL.
Because, for a given packet the switch sequentially applies the ACEs
in an ACL until it finds a match, any packet that reaches the permit any
or permit ip any any entry will be permitted, and will not encounter the
“deny ip any” ACE the switch automatically includes at the end of the
ACL. For an example, refer to figure
10-5 on page 10-15.
■ Explicitly Permitting Any IP Traffic: Entering a permit any or a
permit ip any any ACE in an ACL permits all IP traffic not previously
permitted or denied by that ACL. Any ACEs listed after that point do
not have any effect and unnecessarily use rule and mask resources.
■ Explicitly Denying Any IP Traffic: Entering a deny any or a deny ip
any any ACE in an ACL denies all IP traffic not previously permitted
or denied by that ACL. Any ACEs listed after that point have no effect.
■ An ACL Assignment Is Exclusive: The switch allows one ACL
assignment on an interface. If a port or static trunk already has an
ACL assigned, you cannot assign another ACL to the interface without
first removing the currently assigned ACL.
■ Replacing One ACL with Another: Where an ACL is already
assigned to an interface, you must remove the current ACL assign-
ment before assigning another ACL to that interface. If an assignment
command fails because one or more interfaces specified in the
command already have an ACL assignment, the switch generates this
message in the CLI and in the Event Log:
< acl-list-# >: Unable to apply access control list.
10-28
To Next Page
Loading...
