Configuring Access Control Lists 591ACL Configuration DetailsHow Are ACLs Configured?To configure ACLs, follow these steps:1 Create a MAC ACL by specifying a name.2 Create an IP ACL by specifying a number.3 Add new rules to the ACL.4 Configure the match criteria for the rules.5 Apply the ACL to one or more interfaces.Editing Access ListsWhen editing access lists, new entries are added to the end of the list. Thereis an implicit deny all statement at the end of every access-group that is notshown and is not editable. To insert a rule in the middle of an ACL, you mustdelete the list, and then add the rules again, in order, with the newly includedentry. One way to manage this process is to show the running config, copy theaccess list to an editor, edit the list offline, delete the access list on the switch,and then paste the updated access list back into the switch console.Preventing False ACL MatchesBe sure to specify ACL access-list, permit, and deny rule criteria as fully aspossible to avoid false matches. This is especially important in networks withprotocols that have different frame or EtherType values. For example, L3ACL rules that specify a TCP or UDP port value should also specify the TCPor UDP protocol. MAC ACL rules that specify an EtherType value for theframe should also specify a source or destination MAC address whereverpossible.NOTE: When configuring access lists, complete checks are made only when theaccess list is applied to an active interface. It is recommended that you configureand test an access list on an active (up) interface prior to deploying it on links inthe production network. If an ACL is configured on an interface that is not up,error messages regarding ACL resource allocation may be logged when theinterface is brought up.