ACL configuration and operating rules

  • Per-Interface ACL Limits. At a minimum an ACL will have one explicit “deny” Access Control Entry. You can assign one ACL per interface, as follows:
    • Standard ACLs—Numeric range: 1–99

    • Extended ACLs—Numeric range: 100–199

    • Named (Extended or Standard) ACLs: Up to the maximum number of ports on the switch (minus any numeric ACL assignments)

  • Implicit “deny any”: In any ACL, the switch automatically applies an implicit “deny IP any” that does not appear in show listings. This means that the ACL denies any packet it encounters that does not have a match with an entry in the ACL. Thus, if you want an ACL to permit any packets that you have not expressly denied, you must enter a permit any or permit ip any any as the last visible ACE in an ACL. Because, for a given packet the switch sequentially applies the ACEs in an ACL until it finds a match, any packet that reaches the permit any or permit ip any any entry will be permitted, and will not encounter the “deny ip any” ACE the switch automatically includes at the end of the ACL.

  • Explicitly permitting any IP traffic: Entering a permit any or a permit ip any any ACE in an ACL permits all IP traffic not previously permitted or denied by that ACL.

  • Explicitly denying any IP traffic: Entering a deny any or a deny ip any any ACE in an ACL denies all IP traffic not previously permitted or denied by that ACL.

  • An ACL assignment is exclusive: The switch allows one ACL assignment on an interface. If a port or static trunk already has an ACL assigned, you cannot assign another ACL to the interface without first removing the currently assigned ACL.

  • Replacing one ACL with another: Where an ACL is already assigned to an interface, you must remove the current ACL assignment before assigning another ACL to that interface. If an assignment command fails because one or more interfaces specified in the command already have an ACL assignment, the switch generates this message in the CLI and in the Event Log: <acl-list-#>: Unable to apply access control list.

  • ACLs operate on ports and static trunk interfaces: You can assign an ACL to any port and/or any statically configured trunk on the switch. ACLs do not operate with dynamic (LACP) trunks.

  • Before modifying an applied ACL, you must first remove it from all assigned interfaces: An ACL cannot be changed while it is assigned to an interface.

  • Before deleting an applied ACL, you must first remove it from all interfaces to which it is assigned: An assigned ACL cannot be deleted.

  • Port and static trunk interfaces:
    • Removing a port from an ACL-assigned trunk returns the port to its default settings.

    • To add a port to a trunk when an ACL is already assigned to the port, you must first remove the ACL assignment from the port.

    • Adding a new port to an ACL-assigned trunk automatically applies the ACL to the new port.