10-20
IPv4 Access Control Lists (ACLs)
Overview
Note In cases where an RACL and any type of port or VLAN ACL are filtering traffic
entering the switch, the switched traffic explicitly permitted by the port or
VLAN ACL is not filtered by the RACL (except where the traffic has a
destination on the switch itself). However, routed traffic explicitly permitted
by the port or VLAN ACL (and any switched traffic having a destination on the
switch itself) must also be explicitly permitted by the RACL, or it will be
dropped.
Also, a switched packet is not affected by an outbound RACL assigned to the
VLAN on which the packet exits from the switch.
For a Packet To Be Permitted, It Must Have a Match with a “Permit”
ACE in All Applicable ACLs Assigned to an Interface. On a given inter-
face where multiple ACLs apply to the same traffic, a packet having a match
with a deny ACE in any applicable ACL on the interface (including an implicit
deny any) will be dropped.
For example, suppose the following is true:
■ Port A10 belongs to VLAN 100.
■ A static port ACL is configured on port A10.
■ A VACL is configured on VLAN 100.
■ An RACL is also configured for inbound, routed traffic on VLAN 100.
To Next Page
Loading...
Need help?
General