Layer 3 ACL overview

Layer 3 (IPv4 and IPv6) access control lists (ACLs) permit or deny packets according to rules included in the ACLs.

When a packet is received or sent, the device compares its header fields against the rules in applied ACLs. This comparison is done according to a rule sequence, which you can specify. Based on the comparison, the device either forwards or drops the packet.

ACLs include the following benefits:
  • Providing security and traffic management.
  • Monitoring network and user traffic.
  • Saving network resources by classifying traffic.
  • Protecting against denial of service (DoS) attacks.
  • Reducing debug output.

Because applied ACLs are programmed into the Content Addressable Memory (CAM), packets are permitted or denied in the hardware, without sending the packets to the CPU for processing.

Layer 3 ACLs are implemented using the following flow:
  1. Create the ACL, using the ip access-list or ipv6 access-list command.
  2. Define permit and deny rules, using the [ sequence seq-num ] { deny | permit } command.
  3. Apply the ACL to one or more interfaces, using the relevant command:
    • IPv4: ip access-group
    • IPv6: ipv6 traffic-filter

Layer 3 ACLs are supported on the following interface types:

  • 1 Gigabit Ethernet (1-GbE) ports
  • 10 Gigabit Ethernet (10-GbE) ports
  • 40 Gigabit Ethernet (40-GbE) ports
  • 100 Gigabit Ethernet (100-GbE) ports
  • Trunk groups
  • Virtual routing interfaces

Although you can assign a number to IPv4 ACLs, named ACLs are supported for both IPv4 and IPv6 ACLs. Named ACLs must begin with an alphabetical character, can contain up to 255 characters and numbers, and must be unique among both IPv4 and IPv6 ACLs.

Note: For Layer 2 filtering, refer to Defining MAC Address Filters.
Note: For ACLs under Flexible Authentication, refer to Dynamic ACLs in authentication.