An Access Control List (ACL) is an ordered list that matches traffic based on specific characteristics. Each line in the list is an Access Control Entry (ACE). Each ACE contains a condition to match and an action to take when traffic that matches that condition. A packet that does not match an ACE in an ACL is dropped. This process is referred to as the implicit deny all on an ACL.
An ACE can filter on:
Note: ACLs provide additional filtering options that are beyond the scope of this document.
An ACE follows the format:
Action protocol source [port] destination [port]
Where the source [port] is the source IP address or subnet and Layer 4 port.
Each ACE is directional and uses an inverse network mask notation. To permit traffic in both directions for a host or network, you need two ACEs. The following example shows the ACEs necessary to permit TCP port 80 traffic traveling from and to a 24-bit subnet.
permit tcp 192.168.0.0 0.0.0.255 eq 80 any permit tcp any 192.168.0.0 0.0.0.255 eq 80
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|