IPv4 ACL configuration and operating rules

Static port ACLs

A static port ACL filters traffic entering the switch on the ports or trunks to which it is assigned.

Per switch ACL limits for all ACL types

At a minimum an ACL must have one, explicit "permit" or "deny" Access Control Entry. You can configure up to 256 ACLs.

For IPv4 ACLs, the maximums are as follows:

  • Named (Extended or Standard) ACLs: Up to 256 (minus any numeric standard or extended ACL assignments)

  • Numeric Standard ACLs: Up to 99; numeric range: 1-99

  • Numeric Extended ACLs: Up to 100; numeric range: 100-199

  • The maximum number of ACEs supported by the switch is up to 2048 for IPv4 ACEs. The maximum number of ACEs allowed on port depends on the concurrent resource usage by multiple configured features. For more information, use the show <qos|access-list> resources command and/or refer to General ACL operating notes.

Implicit deny

In any static IPv4 ACL, the switch automatically applies an implicit deny ip any that does not appear in show listings. This means that the ACL denies any IPv4 packet it encounters that does not have a match with an entry in the ACL. Thus, if you want an ACL to permit any packets that you have not expressly denied, you must enter a permit any or permit ip any any as the last ACE in an ACL. Because, for a given packet the switch sequentially applies the ACEs in an ACL until it finds a match, any packet that reaches the permit any or permit ip any any entry will be permitted, and will not encounter the deny ip any ACE the switch automatically includes at the end of the ACL.

For Implicit Deny operation in dynamic ACLs, see RADIUS Services Support on Aruba Switches.

Explicitly permitting any IPv4 traffic

Entering a permit any or a permit ip any any ACE in an ACL permits all IPv4 traffic not previously permitted or denied by that ACL. Any ACEs listed after that point do not have any effect.

Explicitly denying any IPv4 traffic

Entering a deny any or a deny ip any any ACE in an ACL denies all IPv4 traffic not previously permitted or denied by that ACL. Any ACEs after that point have no effect.

Replacing one ACL with another using the same application

For a specific interface, the most recent ACL assignment using a given application replaces any previous ACL assignment using the same application on the same interface.

Static port ACLs:

These are applied per-port, per port-list, or per static trunk. Adding a port to a trunk applies the trunk's ACL configuration to the new member. If a port is configured with an ACL, the ACL must be removed before the port is added to the trunk. Also, removing a port from an ACL-configured trunk removes the ACL configuration from that port.

VACLs

These filter any IPv4 traffic entering the switch through any port belonging to the designated VLAN. VACLs do not filter traffic leaving the switch or being routed from another VLAN.

A VACL affects all physical ports in a static VLAN

A VACL assigned to a VLAN applies to all physical ports on the switch belonging to that VLAN, including ports that have dynamically joined the VLAN.