10-21
IPv4 Access Control Lists (ACLs)
Overview
An inbound, switched packet entering on port A10, with a destination on port
A12, will be screened by the static port ACL and the VACL, regardless of a
match with any permit or deny action. A match with a deny action (including
an implicit deny) in either ACL will cause the switch to drop the packet. (If
the packet has a match with explicit deny ACEs in multiple ACLs and the log
option is included in these ACEs, then a separate log event will occur for each
match.) The switched packet will not be screened by the RACL.
However, suppose that VLAN 2 in figure 10-4 (page 10-21) is configured with
the following:
■ A VACL permitting traffic having a destination on the 10.28.10.0
subnet
■ An RACL that denies inbound traffic having a destination on the
10.28.10.0 subnet
In this case, no IPv4 traffic received on the switch from clients on the
10.28.20.0 subnet will reach the 10.28.10.0 subnet, even though the VACL
allows such traffic. This is because the deny in the RACL causes the switch to
drop the traffic regardless of whether any other VACLs permit the traffic.
Figure 10-4. Example of Order of Application for Multiple ACLs on an Interface
Exception for Connection-Rate Filtering. Connection-rate filtering can
be configured along with one or more other ACL applications on the same
interface. In this case, a connection-rate match for a filter action is carried out
according to the configured policy, regardless of whether any other ACLs on
the interface have a match for a deny action. Also, if a connection-rate filter
permits (ignore action) a packet, it can still be denied by another ACL on the
interface.
VLAN 1
10.28.10.1
(One Subnet)
VLAN 2 with a VACL and
an RACL
10.28.20.1
VLAN 3
(Multiple Subnets)
10.28 .40. 1 10.28 .30. 1
Switch with IPv4 Routing
10.28.10.5
10.28.20.99
10.28.30.33
Subnet Mask: 255.255.255.0.
• RACL on VLAN2 denies IPv4
traffic having a destination on
the 10.28.10.0 subnet.
• VACL on VLAN2 permits IPv4
traffic having a destination on
the 10.28.10.0 subnet.
Because the RACL on VLAN 2
denies traffic entering the
switch for the 10,28.10.0
subnet destination, no IPv4
traffic received inbound from
clients on the 10.28.20.0 subnet
will reach the 10.28.10.0
subnet, even though the VACL
permits this traffic.
10.28.40.22
A
D
C
E
10.28.20.88
B
To Next Page
Loading...
Need help?
General