Access Control Lists
An Access Control List (ACL) is an ordered list of classification filters and actions. Each single classification rule, together with its action, is called an Access Control Element (ACE).
Each ACE is made up of filters that distinguish traffic groups and associated actions. A single ACL may contain one or more ACEs, which are matched against the contents of incoming frames. Either a DENY or PERMIT action is applied to frames whose contents match the filter.
The switch support a maximum of 512 ACLs, and a maximum of 512 ACEs.
When a packet matches an ACE filter, the ACE action is taken and that ACL processing is stopped. If the packet does not match the ACE filter, the next ACE is processed. If all ACEs of an ACL have been processed without finding a match, and if another ACL exists, it is processed in a similar manner.
NOTE If no match is found to any ACE in all relevant ACLs, the packet is dropped (as a default action). Because of this default drop action you must explicitly add ACEs into the ACL to permit the desired traffic, including management traffic, such as Telnet, HTTP or SNMP that is directed to the switch itself. For example, if you do not want to discard all the packets that do not match the conditions in an ACL, you must explicitly add a lowest priority ACE into the ACL that permits all the traffic.
If IGMP/MLD snooping is enabled on a port bound with an ACL, add ACE filters in the ACL to forward IGMP/MLD packets to the switch. Otherwise, IGMP/MLD snooping will fail at the port.
The order of the ACEs within the ACL is significant, since they are applied in a first- fit manner. The ACEs are processed sequentially, starting with the first ACE.
ACLs can be used for security, for example by permitting or denying certain traffic flows, and also for traffic classification and prioritization in the QoS Advanced mode.
NOTE A port can be either secured with ACLs or configured with advanced QoS policy, but not both.
There can only be one ACL per port, with the exception that it is possible to associate both an IP-based ACL and an IPv6-based ACL with a single port. To associate more than one ACL with a port, a policy with one or more class maps must be used (see Configuring a Policy Table in QoS Advanced Mode). The following types of ACLs can be defined (depending on which part of the frame header is examined):
If a frame matches the filter in an ACL, it is defined as a flow with the name of that ACL. In advanced QoS, these frames can be referred to using this Flow name, and QoS can be applied to these frames (see QoS Advanced Mode).
Creating ACLs Workflow
To create ACLs and associate them with an interface, perform the following:
Modifying ACLs Workflow
An ACL can only be modified if it is not in use. The following describes the process of unbinding an ACL in order to modify it:
- If the ACL does not belong to a QoS Advanced Mode class map, but it has been associated with an interface, unbind it from the interface using the ACL Binding page.
- If the ACL is part of the class map and not bound to an interface, then it can be modified.
- If the ACL is part of a class map contained in a policy bound to an interface, you must perform the chain of unbinding as follows:
Only then can the ACL be modified, as described in the sections of this section.