IPv4 ACL configuration and operating rules

RACLs and routed IPv4 traffic

Except for any IPv4 traffic with a DA on the switch itself, RACLs filter only routed IPv4 traffic that is entering or leaving the switch on a given VLAN. Thus, if routing is not enabled on the switch, there is no routed traffic for RACLs to filter. For more on routing, see the latest multicast and routing guide for your switch.

VACLs and switched or routed IPv4 traffic

A VACL filters traffic entering the switch on the VLANs to which it is assigned.

Static port ACLs

A static port ACL filters traffic entering the switch on the ports or trunks to which it is assigned.

Per switch ACL limits for all ACL types.

At a minimum an ACL must have one, explicit "permit" or "deny" Access Control Entry. You can configure up to 2048 IPv4ACLs each for IPv4 and IPv6. The maximums are as follows:

  • Named (Extended or Standard) ACLs: Up to 2048 (minus any numeric standard or extended ACL assignments, and any RADIUS-assigned ACLs)

  • Numeric Standard ACLs: Up to 99; numeric range: 1 - 99

  • Numeric Extended ACLs: Up to 100; numeric range: 100 - 199

  • The maximum number of ACEs supported by the switch is up to 3072 IPv4 ACEs, and up to 3072 IPv6 ACEs. The maximum number of ACEs allowed on a VLAN or port depends on the concurrent resource usage by multiple configured features. For more information, use the
    
    show {<qos | access-list>}
    
    resources command. For a summary of IPv4 and IPv6 ACL resource limits, see the appendix covering scalability in the latest management and configuration guide for your switch.
Implicit deny

In any static IPv4 ACL, the switch automatically applies an implicit deny ip any that does not appear in show listings. This means that the ACL denies any IPv4 packet it encounters that does not have a match with an entry in the ACL. Thus, if you want an ACL to permit any packets that you have not expressly denied, you must enter a permit any or permit ip any any as the last ACE in an ACL. Because, for a given packet the switch sequentially applies the ACEs in an ACL until it finds a match, any packet that reaches the permit any or permit ip any any entry is permitted, and does not encounter the deny ip any ACE the switch automatically includes at the end of the ACL. For Implicit Deny operation in dynamic ACLs, see RADIUS services supported on switches.

Explicitly permitting any IPv4 traffic

Entering a permit any or a permit ip any any ACE in an ACL permits all IPv4 traffic not previously permitted or denied by that ACL. Any ACEs listed after that point do not have any effect.

Explicitly denying any IPv4 traffic

Entering a deny any or a deny ip any any ACE in an ACL denies all IPv4 traffic not previously permitted or denied by that ACL. Any ACEs after that point have no effect.

Replacing one ACL with another using the same application

For a specific interface, the most recent ACL assignment using a given application replaces any previous ACL assignment using the same application on the same interface. For example, configuring an RACL named "100" to filter inbound routed traffic on VLAN 20, but later, you configured another RACL named 112 to filter inbound routed traffic on this same VLAN, RACL 112 replaces RACL 100 as the ACL to use.

Static port ACLs:

These are applied per-port, per port-list, or per static trunk. Adding a port to a trunk applies the trunk's ACL configuration to the new member. If a port is configured with an ACL, the ACL must be removed before the port is added to the trunk. Also, removing a port from an ACL-configured trunk removes the ACL configuration from that port.

VACLs

These filter any IPv4 traffic entering the switch through any port belonging to the designated VLAN. VACLs do not filter traffic leaving the switch or being routed from another VLAN.

VACLs and RACLs operate on static VLANs

You can assign an ACL to any VLAN that is statically configured on the switch. ACLs do not operate with dynamic VLANs.

A VACL or RACL affects all physical ports in a static VLAN

A VACL or RACL assigned to a VLAN applies to all physical ports on the switch belonging to that VLAN, including ports that have dynamically joined the VLAN.

RACLs screen routed IPv4 traffic entering or leaving the switch on a given VLAN interface:

This means that the following traffic is subject to ACL filtering:

  • IPv4 traffic arriving on the switch through one VLAN and leaving the switch through another VLAN

  • IPv4 traffic arriving on the switch through one subnet and leaving the switch through another subnet within the same, multinet VLAN

Filtering the desired, routed traffic requires assigning an RACL to screen traffic inbound or outbound on the appropriate VLANs. In the case of a multinet VLAN, it means that IPv4 traffic inbound from different subnets in the same VLAN is screened by the same inbound RACL, and IPv4 traffic outbound from different subnets is screened by the same outbound RACL. See RACL filter applications on routed IPv4 traffic.

RACLs do not filter switched IPv4 traffic unless the switch itself is the SA or DA

RACLs do not filter traffic moving between ports belonging to the same VLAN or subnet. (IPv4 traffic moving between ports in different subnets of the same VLAN can be filtered.)

NOTE:

RACLs do filter routed or switched IPv4 traffic having an SA or DA on the switch itself.