Guidelines for planning the structure of an ACL

The first step in planning a specific ACL is to determine where you will apply it. You must then determine the order in which you want the individual ACEs in the ACL to filter traffic. Some applications require high usage of the resources the switch uses to support ACLs. In these cases it is important to order the individual ACEs in a list to avoid unnecessarily using resources.
  • The first match dictates the action on a packet. possible, subsequent matches are ignored.

  • On any ACL, the switch implicitly denies packets that are not explicitly permitted or denied by the ACEs configured in the ACL. If you want the switch to forward a packet for which there is not a match in an ACL, add permit any as the last ACE in an ACL. This ensures that no packets reach the implicit deny any case.

  • Generally, you should list ACEs from the most specific (individual hosts) to the most general (subnets or groups of subnets) unless doing so permits traffic that you want dropped. For example, an ACE allowing a small group of workstations to use a specialized printer should occur earlier in an ACL than an entry used to block widespread access to the same printer.