Access Control Lists (ACLs) for the Series 5300xl Switches
Planning an ACL Application
permit any packets that you have not expressly denied, you must enter
a permit any or permit ip any any as the last ACE in an ACL. Because,
for a given packet the switch sequentially applies the ACEs in an ACL
until it finds a match, any packet that reaches the permit any or permit
ip any any entry will be permitted, and will not encounter the “deny ip
any” ACE the switch automatically includes at the end of the ACL. For
an example, refer to figure
9-4 on page 9-15.
■ Explicitly Permitting Any IP Traffic: Entering a permit any or a
permit ip any any ACE in an ACL permits all IP traffic not previously
permitted or denied by that ACL. Any ACEs listed after that point do
not have any effect.
■ Explicitly Denying Any IP Traffic: Entering a deny any or a deny ip
any any ACE in an ACL denies all IP traffic not previously permitted
or denied by that ACL. Any ACEs listed after that point have no effect.
■ Replacing One ACL with Another: The last ACL assigned for
inbound (“in”) or outbound (“out”) packet filtering on an interface
replaces any other ACL previously configured for the same purpose.
For example, if you configured ACL 100 to filter inbound traffic on
VLAN 20, but later, you configured ACL 112 to filter inbound traffic
on this same VLAN, ACL 112 replaces ACL 100 as the ACL to use for
filtering inbound traffic on VLAN 20.
■ ACLs Operate On Static VLANs: You can assign an ACL to any
VLAN that is statically configured on the switch. ACLs do not operate
with dynamic VLANs.
■ An ACL Affects All Physical Ports in a Static VLAN: An ACL
assigned to a VLAN applies to all physical ports on the switch that
belong to that VLAN, including ports that have dynamically joined the
VLAN.
■ ACLs Screen Traffic Entering or Leaving the Switch on a VLAN:
On a given VLAN, ACLs can screen inbound or outbound traffic at the
point where it enters or leaves the switch. ACLs do not screen traffic
moving between VLANs within the switch or between subnets in a
multinetted VLAN. (See figure
9-1.)
■ ACLs Do Not Filter Switched Traffic Unless the Switch Itself
is the DA: ACLs do not filter:
• Traffic moving between ports belonging to the same subnet
• Traffic leaving the switch with an SA on the switch itself
ACLs do filter switched or routed traffic having a DA on the switch.
9-19
To Next Page
Loading...
Need help?
General