528 Configuring Access Control ListsHow Are ACLs Configured?To configure ACLs, follow these steps:1 Create a MAC ACL by specifying a name.2 Create an IP ACL by specifying a number.3 Add new rules to the ACL.4 Configure the match criteria for the rules.5 Apply the ACL to one or more interfaces.Preventing False ACL MatchesBe sure to specify ACL access-list, permit, and deny rule criteria as fully aspossible to avoid false matches. This is especially important in networks withprotocols such as FCoE that have newly-introduced EtherType values. Forexample, rules that specify a TCP or UDP port value should also specify theTCP or UDP protocol and the IPv4 or IPv6 EtherType. Rules that specify anIP protocol should also specify the EtherType value for the frame.In general, any rule that specifies matching on an upper-layer protocol fieldshould also include matching constraints for each of the lower-layer protocols.For example, a rule to match packets directed to the well-known UDP portnumber 22 (SSH) should also include matching constraints on the IPprotocol field (protocol=0x11 or UDP) and the EtherType field (EtherType=0x0800 or IPv4). Figure 20-1 lists commonly-used EtherTypes numbers:NOTE: The actual number of ACLs and rules supported depends on theresources consumed by other processes and configured features running on theswitch.Table 20-1. Common EtherType NumbersEtherType Protocol0x0800 Internet Protocol version 4 (IPv4)0x0806 Address Resolution Protocol (ARP)0x0842 Wake-on LAN Packet0x8035 Reverse Address Resolution Protocol (RARP)0x8100 VLAN tagged frame (IEEE 802.1Q)