Configuring ACLs
Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document.
Overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on criteria such as source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and permits packets that match a permit rule. ACLs are also widely used by many modules, for example, QoS and IP routing, for traffic identification.
ACL categories
Category | ACL number | IP version | Match criteria | |
Basic ACLs | 2000 to 2999 | IPv4 | Source IPv4 address | |
|
| |||
IPv6 | Source IPv6 address | |||
|
| |||
|
|
|
| |
|
| IPv4 | Source/destination IPv4 address, protocol number, | |
|
| and other Layer 3 and Layer 4 header fields | ||
Advanced ACLs | 3000 to 3999 |
| ||
|
| |||
IPv6 | Source/destination IPv6 address, protocol number, | |||
|
| |||
|
| and other Layer 3 and Layer 4 header fields | ||
|
|
| ||
|
|
|
| |
Ethernet frame |
| IPv4 and | Layer 2 header fields, such as source and destination | |
4000 to 4999 | MAC addresses, 802.1p priority, and link layer | |||
header ACLs | IPv6 | |||
| protocol type | |||
|
|
| ||
|
|
|
|
Match order
The rules in an ACL are sorted in certain order. When a packet matches a rule, the device stops the match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules, the matching result and action to take depend on the rule order.
The following ACL match orders are available:
•
•
450