Restrictions for Configuring IPv4 Access Control Lists
General Network Security
The following are restrictions for configuring network security with ACLs:
-
Outbound ACLs are not supported on Layer 2 interfaces.
-
Router ACL and VLAN ACLs are not supported.
-
Not all commands that accept a numbered ACL accept a named ACL. ACLs for packet filters and route filters on interfaces can use a name.
-
A standard ACL and an extended ACL cannot have the same name.
-
Though visible in the command-line help strings, appletalk is not supported as a matching condition for the deny and permit MAC access-list configuration mode commands.
-
ACL wildcard is not supported in downstream client policy.
-
For hardware ACL filtering, a maximum of 18 ACLs are supported. After crossing this limit, only software filtering takes place subject to low rate and CPU utilization.
When the unique ACLs on a device reach 18, downloadable (DACLs) are not allowed, and an error message is displayed on the console. However, port ACLs (PACLs) are allowed because these use software forwarding.
-
Per ASIC, 8 TCP port comparators and 8 UDP port comparators are supported, and each gt (greater than)/lt (less than)/neq (not equal) operator uses 1 port comparator, and each range operator uses 2 port comparators.
-
If ACLs with Layer 4 operations are defined with either the permit or deny actions for a range for ports, the opposite action for these ports will not work. In the following example, the deny action for port 22 will not work because the permit action is defined for ports ranging from 20 to 25.
permit tcp any any range 20 to 25 deny tcp any any eq 22
IPv4 ACL Network Interfaces
The following restrictions apply to IPv4 ACLs to network interfaces:
-
When controlling access to an interface, you can use a named or numbered ACL.
-
You do not have to enable routing to apply ACLs to Layer 2 interfaces.
-
On Layer 3 ports and SVIs, ACLs are not supported.
MAC ACLs on a Layer 2 Interface
After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface. When you apply the MAC ACL, consider these guidelines:
-
You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface. The IP access list filters only IP packets, and the MAC access list filters non-IP packets.
-
A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one.
Note |
The mac access-group interface configuration command is only valid when applied to a physical Layer 2 interface. You cannot use the command on EtherChannel port channels. |
-
In Cisco IOS Release 15.2(7)E3 and later releases, MAC ACLs do not filter or block Address Resolution Protocol (ARP) traffic, but allows all ARP traffic by default.
IP Access List Entry Sequence Numbering
-
This feature does not support dynamic, reflexive, or firewall access lists.