IPv4 Access Control Lists (ACLs)

Terminology

ACL Mask: Follows any IPv4 address (source or destination) listed in an ACE. Defines which bits in a packet’s corresponding IPv4 addressing must exactly match the addressing in the ACE, and which bits need not match (wildcards). See also “How an ACE Uses a Mask To Screen Packets for Matches” on page 9-28.)

CIDR: This is the acronym for Classless Inter-Domain Routing.

DA: The acronym used in text to represent Destination Address. In an IPv4 packet, this is the destination address carried in the header, and identifies the destination intended by the packet’s originator. In an extended ACE, this is the second of two addresses required by the ACE to determine whether there is a match between a packet and the ACE. See also “SA”.

Deny: An ACE configured with this action causes the switch to drop a packet for which there is a match within an applicable ACL.

Dynamic Port ACL: An ACL assigned by a RADIUS server to a port to filter inbound IP traffic from a client authenticated by the server for that port. A dynamic port ACL can be configured (on a RADIUS) server to filter inbound IPv4 traffic. When the client session ends, the dynamic port ACL for that client is removed from the port. See also “Implicit Deny”.

Extended ACL: This type of IPv4 Access Control List uses layer-3 IP criteria composed of source and destination addresses and (optionally) TCP/UDP port, ICMP, IGMP, precedence, or ToS criteria to determine whether there is a match with an IP packet. Except for RADIUS-assigned ACLs, which use client credentials for identifiers, extended ACLs require an alphanu­ meric name or an identification number (ID) in the range of 100 - 199.

Identifier: A term used in ACL syntax statements to represent either the name or number by which the ACL can be accessed. See also NAME-STR. Note that RADIUS-assigned ACLs are identified by client authentication data and do not use the identifiers described in this chapter.

Implicit Deny: If the switch finds no matches between an IPv4 packet and the configured criteria in an applicable static or dynamic ACL, then the switch denies (drops) the packet with an implicit deny any function (for standard ACLs) or an implicit deny ip any any function (for extended ACLs). You can preempt the Implicit Deny in a given ACL by configuring a permit any (standard) or permit ip any any (extended) as the last explicit ACE in the ACL. Doing so permits any IPv4 packet that is not explicitly permitted or denied by other ACEs configured sequentially earlier in the ACL. Unless otherwise noted, Implicit Deny refers to the “deny” function enforced by both standard and extended ACLs.

9-11