Enhancements
Release M.10.02 Enhancements
Example. Suppose the ACL in Figure 3 is assigned to filter the traffic from an authenticated client on a given port in the switch:
For an inbound packet with a destination IP address of 18.28.156.3, the ACL:
1.Compares the packet to this ACE first.
2.Since there is not a match with the first ACE, the ACL compares the packet to the second ACE, where there is also not a match.
3.The ACL compares the packet to the third ACE. There is an exact match, so the ACL denies (drops) the packet.
4.The packet is not compared to the fourth ACE.
Permit in ip from any to 18.28.136.24
Permit in ip from any to 18.28.156.7 Deny in ip from any to 18.28.156.3 Deny in tcp from any to any 23 Permit in ip from any to any
(Deny in ip from any to any)
This line demonstrates the “deny any any” ACE implicit in every
Figure 3. Example of Sequential Comparison
As shown above, the ACL tries to apply the first ACE in the list. If there is not a match, it tries the second ACE, and so on. When a match is found, the ACL invokes the configured action for that entry (permit or drop the packet) and no further comparisons of the packet are made with the remaining ACEs in the list. This means that when an ACE whose criteria matches a packet is found, the action configured for that ACE is invoked, and any remaining ACEs in the ACL are ignored. Because of this sequential processing, successfully implementing an ACL depends in part on configuring ACEs in the correct order for the overall policy you want the ACL to enforce.
Note
Because only one ACL is allowed on a port, if a statically configured ACL already exists on a port, a
51