Restrictions for Configuring IPv4 Access Control Lists
General Network Security
The following are restrictions for configuring network security with ACLs:
-
Router ACL and VLAN ACLs are not supported.
-
Not all commands that accept a numbered ACL accept a named ACL. ACLs for packet filters and route filters on interfaces can use a name.
-
A standard ACL and an extended ACL cannot have the same name.
-
Though visible in the command-line help strings, appletalk is not supported as a matching condition for the deny and permit MAC access-list configuration mode commands.
-
ACL wildcard is not supported in downstream client policy.
-
For hardware ACL filtering, a maximum of 18 ACLs are supported. After crossing this limit, only software filtering takes place subject to low rate and CPU utilization.
When the unique ACLs on a device reach 18, downloadable (DACLs) are not allowed, and an error message is displayed on the console. However, port ACLs (PACLs) are allowed because these use software forwarding.
-
Per ASIC, 8 TCP port comparators and 8 UDP port comparators are supported, and each gt (greater than)/lt (less than)/neq (not equal) operator uses 1 port comparator, and each range operator uses 2 port comparators.
IPv4 ACL Network Interfaces
The following restrictions apply to IPv4 ACLs to network interfaces:
-
When controlling access to an interface, you can use a named or numbered ACL.
-
You do not have to enable routing to apply ACLs to Layer 2 interfaces.
-
On Layer 3 ports and SVIs, ACLs are not supported.
MAC ACLs on a Layer 2 Interface
After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface. When you apply the MAC ACL, consider these guidelines:
-
You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface. The IP access list filters only IP packets, and the MAC access list filters non-IP packets.
-
A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one.
Note |
The mac access-group interface configuration command is only valid when applied to a physical Layer 2 interface. You cannot use the command on EtherChannel port channels. |
-
MAC ACLs do not filter or block Address Resolution Protocol (ARP) traffic but allows all ARP traffic by default.
IP Access List Entry Sequence Numbering
-
This feature does not support dynamic, reflexive, or firewall access lists.
TCAM Matching Priority
WebAuth |
Port ACL or Download ACL |
Final Action |
---|---|---|
Denied ACE |
ACE present and denied |
Packet is permitted |
Denied ACE |
ACE not present and implicit denied |
Packet is permitted |
-
Due to hardware limitation, hardware TCAM match counters are not updated for permit ACEs. However, for deny ACEs they are updated.