Cisco 220 Series Smart Plus Administration Manual page 227

Hide thumbs Also See for 220 Series Smart Plus:

Reference manual (582 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

page of 287

/ 287
Contents
Table of Contents
Bookmarks

Table of Contents

Access Control

Access Control Lists

NOTE

Cisco 220 Series Smart Plus Switches Administration Guide Release 1.0.0.x

Each ACE is made up of filters that distinguish traffic groups and associated

actions. A single ACL may contain one or more ACEs, which are matched against

the contents of incoming frames. Either a DENY or PERMIT action is applied to

frames whose contents match the filter.

The switch supports a maximum of 512 ACLs, and a maximum of 128 ACEs per

ACL.

When a packet matches an ACE filter, the ACE action is taken and that ACL

processing is stopped. If the packet does not match the ACE filter, the next ACE is

processed. If all ACEs of an ACL have been processed without finding a match,

and if another ACL exists, it is processed in a similar manner.

If no match is found to any ACE in all relevant ACLs, the packet is dropped (as a

default action). Because of this default drop action you must explicitly add ACEs

into the ACL to permit all traffic, including management traffic, such as Telnet, HTTP,

or SNMP that is directed to the switch itself. For example, if you do not want to

discard all the packets that do not match the conditions in an ACL, you must

explicitly add a lowest priority ACE into the ACL that permits all the traffic.

If IGMP/MLD Snooping is enabled at a port bound with an ACL, add ACE filters in

the ACL to forward IGMP/MLD packets to the switch. Otherwise, IGMP/MLD

Snooping will fail at the port.

The order of the ACEs within the ACL is significant, since they are applied in a first-

fit manner. The ACEs are processed sequentially, starting with the first ACE.

ACLs can be used for security, for example by permitting or denying certain traffic

flows, and also for traffic classification and prioritization in QoS advanced mode.

A port can be either secured with ACLs or configured with advanced QoS policy,

but not both.

There can only be one ACL per port, with the exception that it is possible to

associate both an IPv4-based ACL and an IPv6-based ACL with a single port.

To associate more than one ACL with a port, a policy with one or more class maps

must be used (see

Configuring QoS Policies

Mode

section).

The following types of ACLs can be defined (depending on which part of the

frame header is examined):

•

MAC-based ACL—Examines Layer 2 fields only, as described in the

Configuring MAC-based ACLs

•

IP ACL—Examines the L3 layer of IP frames, as described in the

Configuring IPv4-based ACLs

in the

Configuring QoS Advanced

section.

225

Table of Contents

Cisco 220 Series Smart Plus Administration Manual page 227

Related Manuals for Cisco 220 Series Smart Plus

Related Products for Cisco 220 Series Smart Plus

Table of Contents