IPv4 ACL configuration and operating rules
- Static port ACLs
-
A static port ACL filters traffic entering the switch on the ports or trunks to which it is assigned.
- Per switch ACL limits for all ACL types
-
At a minimum an ACL must have one, explicit "permit" or "deny" Access Control Entry. You can configure up to 256 ACLs.
For IPv4 ACLs, the maximums are as follows:
-
Named (Extended or Standard) ACLs: Up to 256 (minus any numeric standard or extended ACL assignments)
-
Numeric Standard ACLs: Up to 99; numeric range: 1-99
-
Numeric Extended ACLs: Up to 100; numeric range: 100-199
-
The maximum number of ACEs supported by the switch is up to 2048 for IPv4 ACEs. The maximum number of ACEs allowed on port depends on the concurrent resource usage by multiple configured features. For more information, use the
show <qos|access-list> resources
command and/or refer to General ACL operating notes.
-
- Implicit deny
-
In any static IPv4 ACL, the switch automatically applies an implicit
deny ip any
that does not appear in show listings. This means that the ACL denies any IPv4 packet it encounters that does not have a match with an entry in the ACL. Thus, if you want an ACL to permit any packets that you have not expressly denied, you must enter apermit any
orpermit ip any any
as the last ACE in an ACL. Because, for a given packet the switch sequentially applies the ACEs in an ACL until it finds a match, any packet that reaches thepermit any
orpermit ip any any
entry will be permitted, and will not encounter thedeny ip any
ACE the switch automatically includes at the end of the ACL.For Implicit Deny operation in dynamic ACLs, see RADIUS Services Support on Aruba Switches.
- Explicitly permitting any IPv4 traffic
-
Entering a
permit any
or a permitip any any
ACE in an ACL permits all IPv4 traffic not previously permitted or denied by that ACL. Any ACEs listed after that point do not have any effect. - Explicitly denying any IPv4 traffic
-
Entering a
deny any
or adeny ip any any
ACE in an ACL denies all IPv4 traffic not previously permitted or denied by that ACL. Any ACEs after that point have no effect. - Replacing one ACL with another using the same application
-
For a specific interface, the most recent ACL assignment using a given application replaces any previous ACL assignment using the same application on the same interface.
- Static port ACLs:
-
These are applied per-port, per port-list, or per static trunk. Adding a port to a trunk applies the trunk's ACL configuration to the new member. If a port is configured with an ACL, the ACL must be removed before the port is added to the trunk. Also, removing a port from an ACL-configured trunk removes the ACL configuration from that port.
- VACLs
-
These filter any IPv4 traffic entering the switch through any port belonging to the designated VLAN. VACLs do not filter traffic leaving the switch or being routed from another VLAN.
- A VACL affects all physical ports in a static VLAN
-
A VACL assigned to a VLAN applies to all physical ports on the switch belonging to that VLAN, including ports that have dynamically joined the VLAN.