ACL usage tips

When using the access-list ip or access-list ipv6 commands, if you enter an existing ACL-NAME, the existing ACL is modified as follows:

  • Any ACE entered with a new sequence-number creates an additional ACE.

  • Any ACE entered with an existing sequence-number replaces the existing ACE.

If you modify an ACL that has already been applied, it is possible that packets, blocked by the previous ACL, will briefly pass through the switch during the ACL reconfiguration.

NOTE:

In a highly secure environment, it is safest to first bring down interfaces and VLANs to which an ACL has been applied before modifying the ACL. Then bring the targets of ACL application back up after completing the ACL modification. Respecting this recommendation ensures that an ACL is never partially programmed while traffic is passing through the switch.

About applying ACLs to interfaces or LAGs

You can apply an ACL to an interface or LAG to affect or control the traffic arriving on that interface or LAG (inbound) or leaving the interface or LAG (outbound), or both. A given interface or LAG supports the application of a single ACL per type, per direction. ACLs can be applied to interfaces or LAGs as follows:

  • One MAC ACL inbound

  • One IPv4 ACL inbound

  • One IPv4 ACL outbound

  • One IPv6 ACL inbound

Different ACLs of the same type can be used in opposite directions for IPv4. If you apply an ACL of a particular type, in a direction that is already in use, the switch replaces the current ACL with the new ACL.

About applying ACLs to VLANs

ACLs can be applied to VLANs only in the inbound (ingress) direction.

Sequence numbering

If no sequence number is specified, the software appends new ACEs to the end of the ACL with a sequence number equal to the highest ACE currently in the list plus 10.

The sequence numbers may be resequenced using the access-list resequence command.

Deny ACLs

If multiple ACLs of different types are applied in the same direction, a deny ACE, whether explicit or implicit, in one ACL overrides a permit ACL in another. A deny ACE is an ACE within an ACL that uses the deny action keyword.

Denied ping requests

A ping request is denied when an ACL is applied on ingress or egress unless the request is explicitly permitted.

switch# ping 100.1.2.10
PING 100.1.2.10 (100.1.2.10) 100(128) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted