Command Line Interface
4-86
4
Access Control List CommandsAccess Control Lists (ACL) provide packet filtering for IP frames (based on address,
protocol, Layer 4 protocol port number or TCP control code) or any frames (based
on MAC address or Ethernet type). To filter packets, first create an access list, add
the required rules, specify a mask to modify the precedence in which the rules are
checked, and then bind the list to a specific port.
Access Control Lists
An ACL is a sequential list of permit or deny conditions that apply to IP addresses,
MAC addresses, or other more specific criteria. This switch tests ingress or egress
packets against the conditions in an ACL one by one. A packet will be accepted as
soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If no
rules match for a list of all permit rules, the packet is dropped; and if no rules match
for a list of all deny rules, the packet is accepted.
There are three filtering modes:
• Standard IP ACL mode (STD-ACL) filters packets based on the source IP address.
• Extended IP ACL mode (EXT-ACL) filters packets based on source or destination
IP address, as well as protocol type and protocol port number. If the TCP protocol
is specified, then you can also filter packets based on the TCP control code.
• MAC ACL mode (MAC-ACL) filters packets based on the source or destination
MAC address and the Ethernet frame type (RFC 1060).
The following restrictions apply to ACLs:
• This switch supports ACLs for both ingress and egress filtering. However, you can
only bind one IP ACL and one MAC ACL to any port for ingress filtering, and one
IP ACL and one MAC ACL to any port for egress filtering. In other words, only four
ACLs can be bound to an interface – Ingress IP ACL, Egress IP ACL, Ingress MAC
ACL and Egress MAC ACL.
• When an ACL is bound to an interface as an egress filter, all entries in the ACL
must be deny rules. Otherwise, the bind operation will fail.
• Each ACL can have up to 32 rules.
• The maximum number of ACLs is also 32.
• However, due to resource restrictions, the average number of rules bound the
ports should not exceed 20.
Authenticator State Machine
State Authenticated
Reauth Count 0
Backend State Machine
State Idle
Request Count 0
Identifier(Server) 2
Reauthentication State Machine
State Initialize
Console#