Using Access Control Lists (ACLs) in Your Network

This section details three types of ACLs:

• Layer 3 Standard and Extended ACLs (L3 ACL) which allow the configuration of permit and denial of IPv4 and IPv6 packet forwarding based upon IP address, protocol, port matching (depending upon the ACL type) and provides an all traffic option allowing ingress packet filtering on all traffic instead of just routed traffic.
• Layer 3 Policy ACLs which permit the user to specify an IPv4 packet signature and set the DSCP value in matching packets in order to prioritize relatively short duration connections between specific end points (such as VOIP traffic).
• Layer 2 ACLs (L2 ACL) which allow the configuration of permit and denial packet restrictions based upon the MAC address, VLAN tag, Drop Eligibility Indicator (DEI), and Ethernet II type.

The S- and K-Series firmware supports configuration of standard, extended, and policy L3 ACLs and L2 ACLs. Standard L3 ACLs allow the packet source IP address to be configured, while extended and policy L3 ACLs allow both source and destination IP addresses, protocol and TCP or UDP port matching, as well as the optional specifying of a DSCP, ToS, or IP precedence value. Policy ACLs differ from extended ACLs in that a set DSCP parameter, specific to policy ACLs, must be specified when using a policy ACL. L3 ACLs are also used to match addresses or traffic by client applications such as route map (for policy-based routing and route redistribution), IP Directed Broadcast, and in the case of the S-Series platform, NAT.

ACLs can be applied to VRF access groups to provide a more granular control of traffic between VRFs.

One IPv4 and one IPv6 standard or extended ACL inbound to each VRF and one IPv4 and one IPv6 standard or extended ACL outbound from each VRF can be applied.

A single IPv4 policy ACL can be applied at the global configuration level for each VRF.