Configuring the Switch
3-66
3
Access Control Lists
Access Control Lists (ACL) provide packet filtering for IP frames (based on address,
protocol, Layer 4 protocol port number or TCP control code) or any frames (based
on MAC address or Ethernet type). To filter incoming packets, first create an access
list, add the required rules, specify a mask to modify the precedence in which the
rules are checked, and then bind the list to a specific port.
Configuring Access Control Lists
An ACL is a sequential list of permit or deny conditions that apply to IP addresses,
MAC addresses, or other more specific criteria. This switch tests ingress or egress
packets against the conditions in an ACL one by one. A packet will be accepted as
soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If no
rules match for a list of all permit rules, the packet is dropped; and if no rules match
for a list of all deny rules, the packet is accepted.
You must configure a mask for an ACL rule before you can bind it to a port or set the
queue or frame priorities associated with the rule. This is done by specifying masks
that control the order in which ACL rules are checked. The switch includes two
system default masks that pass/filter packets matching the permit/deny rules
specified in an ingress ACL. You can also configure up to seven user-defined masks
for an ingress or egress ACL.
Command Usage
The following restrictions apply to ACLs:
• Each ACL can have up to 32 rules.
• The maximum number of ACLs is also 32.
• However, due to resource restrictions, the average number of rules bound to the
ports should not exceed 20.
• You must configure a mask for an ACL rule before you can bind it to a port or set
the queue or frame priorities associated with the rule.
• When an ACL is bound to an interface as an egress filter, all entries in the ACL
must be deny rules. Otherwise, the bind operation will fail.
• The switch does not support the explicit “deny any any” rule for the egress IP ACL
or the egress MAC ACLs. If these rules are included in an ACL, and you attempt
to bind the ACL to an interface for egress checking, the bind operation will fail.
The order in which active ACLs are checked is as follows:
1. User-defined rules in the Egress MAC ACL for egress ports.
2. User-defined rules in the Egress IP ACL for egress ports.
3. User-defined rules in the Ingress MAC ACL for ingress ports.
4. User-defined rules in the Ingress IP ACL for ingress ports.
5. Explicit default rule (permit any any) in the ingress IP ACL for ingress ports.
6. Explicit default rule (permit any any) in the ingress MAC ACL for ingress ports.
7. If no explicit rule is matched, the implicit default is permit all.