Restrictions for IPv4 Access Control Lists
General Network Security
The following are restrictions for configuring network security with ACLs:
-
Not all commands that accept a numbered ACL accept a named ACL. ACLs for packet filters and route filters on interfaces can use a name. VLAN maps also accept a name.
-
A standard ACL and an extended ACL cannot have the same name.
-
Though visible in the command-line help strings, appletalk is not supported as a matching condition for the deny and permit MAC access-list configuration mode commands.
-
ACLs cannot be configured on management ports.
-
On Cisco Catalyst 9600 Series Supervisor 2 Module only a maximum of 126 IPv4 ACL IDs in ingress, and a maximum of 14 IPv4 ACL IDs in egress are supported.
In ingress, a maximum of 16 ACL IDs are shared among other features such as Security and QoS ACLs, while one ACL ID is shared among PBR and EPC ACLs each. In egress, a maximum of one ACL ID is shared among Security and EPC ACLs each.
-
IPv4 ACL and IPv4 object group-based ACL logging is supported on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
Time-based ACL is supported on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
ACL modification when ACL is applied is supported on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
ACL wildcard is not supported in downstream client policy.
-
When you apply a scale ACL to an interface that does not program TCAM for a protocol and the ACLs that have been unloaded, it can impact the existing normal movement of traffic for other protocols. The restriction is applicable to IPv4, IPv6, and MAC address traffic.
-
TCAM optimization is not supported on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
IPv4 ACLs are supported only on Layer 3 ports on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
Router ACL is enforced on all types of traffic, including CPU generated traffic.
-
ACL logging in the egress direction are not supported for packets that are generated from the control plane of the device.
-
Time-to-live (TTL) classification is not supported on ACLs.
-
If a downloadable ACL contains any type of duplicate entries, the entries are not auto merged. As a result, the 802.1X session authorization fails. Ensure that the downloadable ACL is optimized without any duplicate entries, for example port-based and name-based entries for the same port.
-
Egress ACL lookup is not supported for injected traffic that is forwarded by the software.
-
ACLs support only Layer 3 interfaces (such as routed interfaces and VLAN interfaces), port channel interface, and sub-interfaces.
There is no support on Layer 2 interfaces on Cisco Catalyst 9600 Series Supervisor 2 Module.
-
Multicast control packets are not filtered by ACL on Cisco Catalyst 9600 Series Supervisor 2 Module
-
On Cisco Catalyst 9600 Series Supervisor 2 Module, per-ACE statistics is supported only for deny ACEs. Per-ACE statistics is not supported for Permit ACEs. If the same ACL is applied to multiple ports, then the deny counters is cumulative for all the ports on which the ACL is attached.
-
On Cisco Catalyst 9600 Series Supervisor 2 Module, when an ACL is applied to the port-channel which consists of active and standby interfaces (StackWise Virtual platform), the ACL gets programmed in the TCAM of both active and standby switches. In case of scaled ACL configuration, make sure there is enough TCAM space available in both active and standby switches before applying the ACL.
-
On Cisco Catalyst 9600 Series Supervisor 2 Module, TCAM entries of an ACL attached to a Layer 3 port-channel or member port are deleted when the Layer 3 port-channel or member port is shut down. Make sure the Layer 3 port-channel or member port is up before attaching the ACL.
-
On Cisco Catalyst 9600 Series Supervisor 2 Module, security ACL is not supported for MPLS tagged traffic.
IPv4 ACL Network Interfaces
The following restrictions apply to IPv4 ACLs to network interfaces:
-
When controlling access to an interface, you can use a named or numbered ACL.
-
If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the VLAN.
-
If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch, the ACL only filters packets that are intended for the CPU, such as SNMP, Telnet, or web traffic.
-
If the preauth_ipv4_acl ACL is configured to filter packets, the ACL is removed after authentication.
-
You do not have to enable routing to apply ACLs to Layer 2 interfaces.
MAC ACLs on a Layer 2 Interface
After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface. When you apply the MAC ACL, consider these guidelines:
-
You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface. The IP access list filters only IP packets, and the MAC access list filters non-IP packets.
-
A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one.
Note |
The mac access-group interface configuration command is only valid when applied to a physical Layer 2 interface. You cannot use the command on EtherChannel port channels. |
IP Access List Entry Sequence Numbering
-
This feature does not support dynamic, reflexive, or firewall access lists.