An Access Control List (ACL) is one filter, or a sequence of filters, that are applied to an
interface to either block, pass, or when using QoS, apply priority to, packets that match
the filter definitions. ACLs are used to restrict network access by hosts and devices and to
limit network traffic.

An ACL contains an ordered list of filters. Each filter specifies either permit or deny and a
set of conditions the packet must satisfy in order to match the filter. The meaning of
permit or deny entries depends on the context in which the ACL is used - either on an
inbound or an outbound interface.

When a packet is received on an interface, the switch compares fields in the packet against
filters in the ACL to check whether the packet has permission to be forwarded, based on
the filter properties. The first match determines whether the switch accepts or rejects the
packets. If no entries match, the switch rejects the packets. If there are no restrictions, the
switch forwards the packets.

Because filters in an ACL are applied sequentially and their action stops at the first match,
it is very important that you apply the filters in the correct order. For example you might
want to pass all traffic from VLAN 4 except for that arriving from two selected addresses A
and B. Setting up a filter that first passes all traffic from VLAN 4 then denies traffic from
addresses A and B will not filter out traffic from A and B if they are members VLAN 4. To
ensure that the traffic from A and B is always blocked you should first apply the filter to
block traffic from A and B, then apply the filter to allow all traffic from VLAN 4.

You can assign sequence numbers to filters. See

“ACL Filter Sequence Numbers” on

page 33.14

for more information.