ACL overview

When a frame or packet is received or sent, the device compares its header fields against the rules in applied ACLs. This comparison is done according to a rule sequence, which you can specify. Based on the comparison, the device either forwards or drops the frame or packet.

The benefits of ACLs include the following:

Provide security and traffic management.
Monitor network and user traffic.
Save network resources by classifying traffic.
Protect against denial of service (DOS) attacks.

Regarding the range of filtering options, there are two types of ACL:

Standard ACLs — Permit, deny, or hard-drop traffic according to source address only.
Extended ACLs — Permit, deny, or hard-drop traffic according to source and destination addresses, as well as other parameters. For example, in an extended ACL, you can also filter by one or more of the following:
- Port name or number
- Protocol, for example TCP/UDP port name or number
- TCP flags

Note

Except on SLX 9740 devices, Egress ACLs do not support TCP flags.

Regarding layer and protocol, ACL types are as follows:

Layer 2
- MAC ACLs

Layer 3
- IPv4 ACLs
- IPv6 ACLs

For information on hardware-based filtering of IP subnet-based directed broadcast and network-address traffic, refer to "IP broadcast ACLs (bACLs)."