ACL usage tips
When using the
access-list ip
or
access-list ipv6
commands, if you enter an existing
ACL-NAME
, the existing ACL is modified as follows:
Any ACE entered with a new sequence-number creates an additional ACE.
Any ACE entered with an existing sequence-number replaces the existing ACE.
If you modify an ACL that has already been applied, it is possible that packets, blocked by the previous ACL, will briefly pass through the switch during the ACL reconfiguration.
In a highly secure environment, it is safest to first bring down interfaces and VLANs to which an ACL has been applied before modifying the ACL. Then bring the targets of ACL application back up after completing the ACL modification. Respecting this recommendation ensures that an ACL is never partially programmed while traffic is passing through the switch.
About applying ACLs to interfaces or LAGs
You can apply an ACL to an interface or LAG to affect or control the traffic arriving on that interface or LAG (inbound) or leaving the interface or LAG (outbound), or both. A given interface or LAG supports the application of a single ACL per type, per direction. ACLs can be applied to interfaces or LAGs as follows:
One MAC ACL inbound
One MAC ACL outbound
One IPv4 ACL inbound
One IPv4 ACL outbound
One IPv6 ACL inbound
One IPv6 ACL outbound
Different ACLs of the same type can be used in opposite directions for MAC, IPv4, and IPv6. If you apply an ACL of a particular type, in a direction that is already in use, the switch replaces the current ACL with the new ACL.
About applying ACLs to VLANs
ACLs can be applied to VLANs in the inbound (ingress) and outbound (egress) directions.
Sequence numbering
If no sequence number is specified, the software appends new ACEs to the end of the ACL with a sequence number equal to the highest ACE currently in the list plus 10.
The sequence numbers may be resequenced using the
access-list resequence
command.
Deny ACLs
If multiple ACLs of different types are applied in the same direction, a deny ACE, whether explicit or implicit, in one ACL overrides a permit ACL in another. A deny ACE is an ACE within an ACL that uses the
deny
action keyword.
Denied ping requests
A ping request is denied when an ACL is applied on ingress or egress unless the request is explicitly permitted.
switch# ping 100.1.2.10 PING 100.1.2.10 (100.1.2.10) 100(128) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted