Access Control
Access Control Lists
Cisco Small Business 300 Series Managed Switch Administration Guide 233
17
When a packet matches an ACE filter, the ACE action is taken and that ACL
processing is stopped. If the packet does not match the ACE filter, the next ACE is
processed. If all ACEs of an ACL have been processed without finding a match,
and if another ACL exists, it is processed in a similar manner. If no match is found to
any ACE in all relevant ACLs, the packet is dropped (as a default action). Because
of this default drop action you must explicitly add ACEs into the ACL to permit all
traffic, including management traffic, such as telnet, HTTP or SNMP that is
directed to the switch itself.
If IGMP/MLD snooping is enabled at a port bound with an ACL, add ACE filters in
the ACL to forward IGMP/MLD packets to the switch. Otherwise, IGMP/MLD
snooping will fail at the port.
The order of the ACEs within the ACL is significant, since they are applied in a first-
fit manner. The ACEs are processed sequentially, starting with the first ACE.
ACLs can be used for security, for example by permitting or denying certain traffic
flows, and also for traffic classification and prioritization in the QoS Advanced
mode.
NOTE A port can be either secured with ACLs or configured with advanced QoS policy,
but not both.
There can only be one ACL per port, with the exception that it is possible to
associate both an IP-based ACL and an IPv6-based ACL with a single port. To
associate more than one ACL with a port, a policy with one or more class maps
must be used (see Configuring a Policy Table in QoS Advanced Mode). The
following types of ACLs can be defined (depending on which part of the frame
header is examined):
• MAC ACL—Examines Layer 2 fields only, as described in Defining MAC-
based ACLs
• IP ACL—Examines the L3 layer of IP frames, as described in IPv4-based
ACLs
• IPv6 ACL—Examines the L3 layer of IPv4 frames as described in
Defining
IPv6-Based ACL
If a frame matches the filter in an ACL, it is defined as a flow with the name of that
ACL. In advanced QoS, these frames can be referred to using this Flow name, and
QoS can be applied to these frames (see QoS Advanced Mode).
To Next Page
Loading...
Need help?
General
