ML-Series ACL Support
•
•
IP ACLs
The following ACL styles for IP are supported:
•
•
•
Note
By default, the end of the ACL contains an implicit deny statement for everything if it did not find a
match before reaching the end. With standard ACLs, if you omit the mask from an associated IP host
address ACL specification, 0.0.0.0 is assumed to be the mask.
After creating an ACL, you must apply it to an interface, as shown in the
Interface" section on page
Named IP ACLs
You can identify IP ACLs with a name, but it must be an alphanumeric string. Named IP ACLs allow
you to configure more IP ACLs in a router than if you used numbered ACLs. If you identify your ACL
with an alphabetic rather than a numeric string, the mode and command syntax are slightly different.
Consider the following before configuring named ACLs:
•
•
User Guidelines
Keep the following in mind when you configure IP network access control:
•
•
•
•
•
•
Cisco ONS 15454 SONET/SDH ML-Series Multilayer Ethernet Card Software Feature and Configuration Guide, R4.0
15-2
ACL logging is supported only for packets going to the CPU, not for switched packets.
IP Standard ACLs applied to bridged egress interfaces are not supported in the data-plane.
Whenbridging, ACLs are only supported on ingress.
Standard IP ACLs: These use source addresses for matching operations.
Extended IP ACLs (control plane only): These use source and destination addresses for matching
operations and optional protocol type and port numbers for finer granularity of control.
Named ACLs: These use source addresses for matching operations.
15-4.
A standard ACL and an extended ACL cannot have the same name.
Numbered ACLs are also available, as described in the
IP ACLs" section on page
You can program ACL entries into ternary content addressable memory (TCAM).
You do not have to enter a deny everything statement at the end of your ACL; it is implicit.
You can enter ACL entries in any order without any performance impact.
For every eight TCAM entries, the ML-Series card uses one entry for TCAM management purposes.
Do not set up conditions that result in packets getting lost. This situation can happen when a device
or interface is configured to advertise services on a network that has ACLs that deny these packets.
IP Standard ACLs applied to bridged egress interfaces are not supported in the data-plane. When
bridging, ACLs are only supported on ingress.
15-3.
Chapter 15
Configuring Access Control Lists
"Applying the ACL to an
"Creating Numbered Standard and Extended
78-15224-02