Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Configuring and Assigning an ACL
In Any ACL, There Will Always Be a Match
As indicated in figure 10-13, the switch automatically uses an implicit “deny
IP any” (Standard ACL) or “deny IP any any” (Extended ACL) as the last ACE
in any ACL. This means that if you configure the switch to use an ACL for
filtering inbound traffic, any packets not specifically permitted or denied by
the explicit entries you create will be denied by the implicit “deny” action.
Note that if you want to preempt the implicit “deny” action, insert an explicit
permit any or permit ip any any as the last line of the ACL.
A Configured ACL Has No Effect Until You Apply It to an
Interface
The switch stores ACLs in the configuration file. Thus, until you actually assign
an ACL to an interface, it is present in the configuration, but not used.
Using the CLI To Create an ACL
Command Page
access-list (standard ACLs) 10-43
access-list (extended ACLs) 10-48
ip access-list (named ACLs) 10-54
You can use either the switch CLI or an offline text editor to create an ACL.
This section describes the CLI method, which is recommended for creating
short ACLs. (To use the offline method, refer to
“Editing ACLs and Creating
an ACL Offline” on page 10-65.)
General ACE Rules
These rules apply to all ACEs you create or edit using the CLI:
■ ACEs are placed in an ACL according to the sequence in which you
enter them (last entered, last listed).
■ You can use the CLI to delete an ACE from anywhere in a given ACL
by using the “no” form of the command to enter that ACE. However,
when you use the CLI to add an ACE, the new entry is always placed
at the end of the ACL.
10-41
To Next Page
Loading...
