Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches
Planning an ACL Application on a Series 3400cl or Series 6400cl Switch
and subnet mask are duplicates of the IP address and subnet mask
used for the implicit deny ip any any ACE that the switch automatically
includes at the end of every ACL.
Table 10-3. ACL Rule and Mask Resource Usage
ACE Type Per-Port Rule
Usage
Per-Port
Masks Usage
Standard ACLs
Implicit deny any (automatically included in any standard ACL, but not displayed by
show access-list < acl-# > command).
1 1
First ACE entered 1 1
Next ACE entered with same ACL mask
1
1 0
Next ACE entered with a different ACL mask
1
1 1
Closing ACL with a deny any or permit any ACE having the same ACL mask as the 0 0
preceding ACE
Closing ACL with a deny any or permit any ACE having a different ACL mask than
the preceding ACE
1 1
Extended ACLs
Implicit deny ip an any (automatically included in any standard ACL, but not
displayed by show access-list < acl-# > command).
1 1
First ACE entered 1 1
Next ACE entered with same SA/DA ACL mask and same IP or TCP/UDP protocols
specified
2
1 0
Next ACE entered with any of the following differences from preceding ACE in the
list:
– Different SA or DA ACL mask
– Different protocol (IP as opposed to TCP/UDP) specified in either the SA or DA
3
1 1
Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an IP
ACE with the same SA and DA ACL masks
0 0
Closing an ACL with a deny ip any any or permit ip any any ACE preceded by an IP
ACE with different SA and/or DA ACL masks
1 1
1
In a given standard ACL, consecutive ACEs must have identical ACL masks in their SA entries to avoid using a separate
per-port mask for each ACE. In a given standard ACL, If two ACEs having identical SA ACL masks are separated by an
ACE with a different SA ACL mask, then three per-port masks are used instead of two; one for each sequential change
in SA ACL masks. Thus, you can conserve per-port resources by grouping SA entries with the same ACL mask together.
2
In a given extended ACL, consecutive ACEs must have the same SA and DA ACL mask and the same protocol application
(IP as opposed to TCP/UDP) to avoid using a separate per-port mask for each ACE. If consecutive ACEs have different
SA or DA ACL masks, or different protocol applications, then each such ACE consumes a separate per-port mask.
3
TCP and UDP are the same for the purpose of determining per-port mask use. Also, actual TCP or UDP port numbers can
vary between ACEs without affecting per-port mask usage. However, if one ACE specifies a TCP/UDP source port and
another does not, another per-port mask will be used.
10-19
To Next Page
Loading...
Need help?
General