UMN:CLI User ManualV58082527.21 Access ListAn IP access list (ACL) is a filter that enables you to restrict specific IP traffic. If youcreate an ACL entry to filter multicast packets based on their destination IP address, theV5808 can deny the packets matching to the destination IP address, a multicast address.There are three types of IP ACLs you can configure:• Standard Access List• Extended Access List• Named Access ListStandard ACLs uses IP addresses (whether they are source address or not) for matchingconditions. On the other hand, Extended ACLs define detailed filters with source IP,source mask, destination IP, and destination mask. More concrete filtering could be donewith the extended ACL. IP ACLs also can be named with any characters and the numbersnot defined in both standard and extended ACLs.In most cases, you can simply define ACLs in Global Configuration mode. If you want toapply them to any of L3 functions, you can perform it where the actual access controlshould be made. For example, ACL could be applied to another command such as ipigmp access-group or ip pim rp-address. However, ARP has an exception. ARP has anaccess list itself, and you cannot define an access list in the Global Configuration mode.Processing ACLsAn ACL entry has several statements. That is, an ACL entry 1 can have multiple filteringstatements (conditions) as the following:SWITCH(config)# access-list 1 deny 10.55.193.109SWITCH(config)# access-list 1 permit 10.55.193.109 0.0.0.255SWITCH(config)# access-list 1 deny anyTraffic that comes into the switch is compared to ACL entries based on the order that theentries have been created in the switch. New entries are added to the end of the list. Theswitch continues to look until it has a match. If no matches are found when the switchreaches the end of the list, the traffic is permitted. Likewise, if a couple of statements existwithin one ACL entry and traffic comes in, the switch looks through the statements in theorder that they are created. If the traffic hits the first condition, the switch processes asdescribed in the first condition and next conditions are ignored.SWITCH(config)# access-list 1 deny 10.55.193.109SWITCH(config)# access-list 1 permit 10.55.193.109 0.0.0.255SWITCH(config)# access-list 1 deny anyWildcard BitsMasks are used with IP addresses in IP ACLs to specify a range of IP addresses. Com-pared to subnet mask, masks for IP ACLs are the reverse. The mask bits 0.0.0.255 in IPACL are same as 255.255.255.0 in subnet mask, for instance. This is called a wildcardmask or an inverse mask, because 1 and 0 in the binary format means the opposite ofwhat they mean in a subnet mask; 0 meaning “check” and 1 meaning “ignore.”