BigIron RX Series Configuration Guide 51153-1001810-01Chapter21Access Control ListIn this chapter• How the device processes ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512• Disabling or re-enabling Access Control Lists (ACLs) . . . . . . . . . . . . . . . . . 513• Default ACL action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513• Types of IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513• ACL IDs and entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513• Enabling support for additional ACL statements. . . . . . . . . . . . . . . . . . . . . 514• ACL-based inbound mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514• Configuring numbered and named ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . 518• Displaying ACL definitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533• ACL logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544• Modifying ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545• Deleting ACL entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549• Applying ACLs to interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551• QoS options for IP ACLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553• Enabling ACL duplication check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554• ACL accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554• Enabling ACL filtering of fragmented or non-fragmented packets . . . . . . . 557• ACL filtering for traffic switched within a virtual routing interface . . . . . . . 558• ICMP filtering for extended ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558• Troubleshooting ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560This chapter describes the IP Access Control List (ACL) feature, which enables you to filter trafficbased on the information in the IP packet header. For details on Layer 2 ACLs, refer to “Types of IPACLs” on page 513.You can use IP ACLs to provide input to other features such as route maps, distribution lists, ratelimiting, and BGP. When you use an ACL this way, use permit statements in the ACL to specify thetraffic that you want to send to the other feature. If you use deny statements, the traffic specifiedby the deny statements is not supplied to the other feature. Also, if you use an ACL in a route mapand you use a wildcard character as the source IP address, make sure you apply the route map tointerfaces instead of globally, to prevent loops. See the chapters for a specific feature forinformation on using ACLs as input to those features.