Configuring the Switch

3-92

3
When an ACL is bound to an interface as an egress filter, all entries in the ACL
must be deny rules. Otherwise, the bind operation will fail.
The switch does not support the explicit “deny any any” rule for the egress IP ACL.
If these rules are included in ACL, and you attempt to bind the ACL to an interface
for egress checking, the bind operation will fail.
The order in which active ACLs are checked is as follows:
1. User-defined rules in the Egress IP ACL for egress ports.
2. User-defined rules in the Ingress IP ACL for ingress ports.
3. Explicit default rule (permit any any) in the ingress IP ACL for ingress ports.
4. If no explicit rule is matched, the implicit default is permit all.

Setting the ACL Name and Type

Use the ACL Configuration page to designate the name and type of an ACL.
Command Attributes
Name – Name of the ACL. (Maximum length: 15 characters)
Type – There are three filtering modes:
-Standard – IP ACL mode that filters packets based on the source IP address.
-Extended IP ACL mode that filters packets based on source or destination IP
address, as well as protocol type and protocol port number.
-MAC – MAC ACL mode that filters packets based on the source or destination
MAC address and the Ethernet frame type (RFC 1060).
Web – Select Security, ACL, Configuration. Enter an ACL name in the Name field,
select the list type (IP Standard, IP Extended, or MAC), and click Add to open the
configuration page for the new list.
Figure 3-56 Selecting ACL Type
CLI – This example creates a standard IP ACL named david.
Console(config)#access-list ip standard david 4-144
Console(config-std-acl)#