IPv4 Access Control Lists (ACLs)

Configuring and Assigning an IPv4 ACL

Line # Action

50Any packet from any IPv4 SA to any IPv4 DA will be permitted (forwarded). The only traffic to reach this ACE will be IPv4 packets not specifically permitted or denied by the earlier ACEs.

n/a The Implicit Deny is a function the switch automatically adds as the last action in all ACLs. It denies (drops) any IPv4 traffic from any source to any destination that has not found a match with earlier entries in the ACL. In this example, the ACE at line 50 permits (forwards) any IPv4 traffic not already permitted or denied by the earlier entries in the list, so there is no traffic remaining for action by the Implicit Deny function.

exit Marks the end of the ACL.

Allowing for the Implied Deny Function

In any ACL having one or more ACEs there will always be a packet match. This is because the switch automatically applies an Implicit Deny as the last ACE in any ACL. This function is not visible in ACL listings, but is always present. (Refer to figure 9-10.)This means that if you configure the switch to use an ACL for filtering either inbound or outbound IPv4 traffic, any packets not specifically permitted or denied by the explicit entries you create will be denied by the Implicit Deny action. If you want to preempt the Implicit Deny (so that IPv4 traffic not specifically addressed by earlier ACEs in a given ACL will be permitted), insert an explicit permit any (for standard ACLs) or permit ip any any (for extended ACLs) as the last explicit ACE in the ACL.

A Configured ACL Has No Effect Until You Apply It to an Interface

The switch stores ACLs in the configuration file. Thus, until you actually assign an ACL to an interface, it is present in the configuration, but not used (and does not use any of the monitored resources described in the appendix titled “Monitored Resources” in the Management and Configuration Guide for your switch.)

You Can Assign an ACL Name or Number to an Interface

Even if the ACL Does Not Exist in the Switch’s Configuration

In this case, if you subsequently create an ACL with that name or number, the switch automatically applies each ACE as soon as you enter it in the running­ config file. Similarly, if you modify an existing ACE in an ACL you already applied to an interface, the switch automatically implements the new ACE as soon as you enter it. (See “General ACL Operating Notes” on page 9-99.)The switch allows a maximum of 512 ACLs (IPv4), and determines the total from the number of unique ACL names in the configuration. (For more on this topic, refer to “Monitoring Shared Resources” on page 9-100.)

9-41