Access Control List
An access control list (ACL) is a set of
rules defined to filter the network traffic. Each ACL is assigned a unique name.
Packet filtering and traffic flow through the network are managed with ACLs, which contain
rules that you configure for that purpose. Incoming packets are matched against the
entries in ACL. Packets are forwarded or dropped based on criteria specified in ACL. The
unique sequence number of each entry indicates the order that the packet will be matched
against rules in the ACL. The ACL sequence ID range is 1-4095. The lower the sequence
ID, the earlier the rule will be checked against the packet.
Note
Care should be taken when designing
the ACLs being used to prevent a lower-sequence ID from matching all the traffic
desired for a higher sequence ID.
ACLs are classified as MAC (Layer 2), IPV4 (Layer 3), or IPv6 (Layer 3) access lists, based on
the matching keys. If incoming packets match both Layer 2 and Layer 3 ACLs, Layer 3 ACLs
in the same route-map stanza are prioritized and actions associated with L3 ACLs are
applied.
- ACLs that are referenced in route-maps or
listener polices can be modified and deleted.
- When ACL entries that are in use are deleted,
the associated route-map or listener-policy re-program the hardware
accordingly.
- Each ACL entry can specify its ability to
count or log:
- The counting action provides
packet and octet count (64-bit capacity).
- Logging action sends a copy
of the frame to the CPU.
- The forwarding action remains unchanged.