450
Configuring ACLs
Unless otherwise stated, ACLs refer to both IPv4 and IPv6 ACLs throughout this document. Grayed-out
options on Web configuration pages cannot be configured.
Overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are essentially used for packet filtering. A packet filter drops packets that match a deny rule and
permits packets that match a permit rule. ACLs are also widely used by many modules, for example, QoS
and IP routing, for traffic identification.
ACL categories
Cate
Basic ACLs 2000 to 2999
IPv4 Source IPv4 address
IPv6 Source IPv6 address
Advanced ACLs 3000 to 3999
IPv4
Source/destination IPv4 address, protocol number,
and other Layer 3 and Layer 4 header fields
IPv6
Source/destination IPv6 address, protocol number,
and other Layer 3 and Layer 4 header fields
Ethernet frame
header ACLs
4000 to 4999
IPv4 and
IPv6
Layer 2 header fields, such as source and destination
MAC addresses, 802.1p priority, and link layer
protocol type
Match order
The rules in an ACL are sorted in certain order. When a packet matches a rule, the device stops the match
process and performs the action defined in the rule. If an ACL contains overlapping or conflicting rules,
the matching result and action to take depend on the rule order.
The following ACL match orders are available:
• Config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a
rule with a higher ID. If you use this method, check the rule content and order carefully.
• Auto—Sorts ACL rules in depth-first order. Depth-first ordering makes sure any subset of a rule is
always matched before the rule. Table 136 lists the
sequence of tie breakers that depth-first ordering
uses to sort rules for each type of ACL.
To Next Page
Loading...
Need help?
General
