ACL configuration structure

After you enter an ACL command, you may want to inspect the resulting configuration. This is especially true where you are entering multiple ACEs into an ACL. Also, it is helpful to understand the configuration structure when using the following information.

The basic ACL structure includes four elements:

  1. ACL identity and type: Identifies the ACL as standard or extendedand shows the ACL name or number.
  2. Optional remark entries.
  3. One or more deny/permit list entries (ACEs): One entry per line.




    Standard or Extended


    • Alphanumeric; Up to 64 Characters, Including Spaces

    • Numeric: 1 - 99 (Standard) or 100 - 199 (Extended)


    Allows up to 100 alphanumeric characters, including blank spaces. (If any spaces are used, the remark must be enclosed in a pair of single or double quotes.) A remark is associated with a particular ACE and has the same sequence number as the ACE. (One remark is allowed per ACE.) See Attaching a remark to an ACE.

    Maximum ACEs Per per Switch

    The upper limit on ACEs supported by the switch depends on the concurrent resource usage by configured ACL, QoS, Mirroring, virus-throttling, and other features. See IPv4 ACL configuration and operating rules.

  4. Implicit Deny: Where an ACL is in use, it denies any packets that do not have a match with the ACEs explicitly configured in the list. The Implicit Deny does not appear in ACL configuration listings, but always functions when the switch uses an ACL to filter packets. (You cannot delete the Implicit Deny, but you can supersede it with a permit any or permit ip any any statement.)