Introduction to IPv4 static ACL operation

An ACL is a list of one or more Access Control Entries (ACEs), where each ACE consists of a matching criteria and an action (permit or deny). A static ACL applies only to the switch in which it is configured. ACLs operate on assigned interfaces, and offer these traffic filtering options:
  • IPv4 traffic inbound on a port.

  • IPv4 traffic inbound on a VLAN.

  • Routed IPv4 traffic entering or leaving the switch on a VLAN. (Note that ACLs do not screen traffic at the internal point where traffic moves between VLANs or subnets within the switch. See ACL applications.

The following table lists the range of interface options:
Range of interface options


ACL Application

Application Point

Filter Action


Static Port ACL (switch configured)

inbound on the switch

inbound IPv4 traffic

RADIUS-Assigned ACL1

inbound on the switch port used by authenticated client

inbound IPv4 and IPv6 traffic from the authenticated client



entering the switch on the VLAN

inbound IPv4 traffic


entering the switch on the VLAN

routed IPv4 traffic entering the switch and any IPv4 traffic with a destination on the switch itself

exiting from the switch on the VLAN

routed IPv4 traffic exiting from the switch


The information provided here describes ACLs statically configured on the switch. For information on RADIUS assigned ACLs, see RADIUS services supported on switches.


Supports one inbound and one outbound RACL. When both are used, one RACL can be assigned to filter both inbound and outbound, or different RACLs can be assigned to filter inbound and outbound.


After you assign an IPv4 ACL to an interface, the default action on the interface is to implicitly deny IPv4 traffic that is not specifically permitted by the ACL. (This applies only in the direction of traffic flow filtered by the ACL.)