General steps for implementing ACLs

  1. Configure one or more ACLs. This creates and stores the ACLs in the switch configuration.
  2. Assign an ACL. This step uses one of the following applications to assign the ACL to an interface:
    1. RACL (routed IPv4 traffic entering or leaving the switch on a given VLAN)
    2. VACL (any IPv4 traffic entering the switch on a given VLAN)
    3. Static Port ACL (any IPv4 traffic entering the switch on a given port, port list, or static trunk)
  3. If the ACL is applied as an RACL, enable IPv4 routing. Except for instances where the switch is the traffic source or destination, assigned RACLs filter IPv4 traffic only when routing is enabled on the switch.


IPv4 source routing is enabled by default on the switch and can be used to override ACLs. For this reason, if you are using ACLs to enhance network security, the recommended action is to disable source routing on the switch. To do so, execute

no ip source-route