ACL can be applied globally, to VLAN, port and interface. IP ACL can be applied globally, VLAN, the ingress and egress of the port and interface; Hybrid ACL can only be applied globally; MAC ACL can be applied to the ingress and egress of the port and interface. IPv6 ACL can be applied to the port and interface.
If ACL is applied globally, filter all the ingress packets of the device port; if ACL is applied to VLAN, filter all ingress packets of the port in VLAN and the egress forwarding packets; if ACL is applied to the port, filter all ingress packets of the port and the egress forwarding packets; if ACL is applied to the interface, filter the L3 forwarding packets
ACL matching has the priority order. The priority from high to low is to be applied to the port, applied to the VLAN, and applied globally.
If the packet matches the ACL rule of applying to port, VLAN and globally at the same time, the packet whose high priority filter result is permit is forwarded to the next-priority ACL for filtering. The packet whose high priority filter result is deny is dropped directly and is not forwarded to the next-priority ACL for processing any more.
Configuration Condition
Before configuring the ACL application function, first complete the following task:
Configure IP ACL to Be Applied to Port
Apply IP ACL to the port. The packet passing the port is analyzed and processed according to IP ACL.
Table 15-25 Configure IP ACL to be applied to the port
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2/L3 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2/L3 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure applying IP ACL to the port
|
ip access-group { access-list-number | access-list-name } { in | out | vfp}
|
Mandatory
By default, IP ACL is not applied to the port.
|
-
If ACL applied to the port does not exist, all packets passing the port are permitted.
Configure MAC ACL to Be Applied to Port
Apply MAC ACL to the port. The packet passing the port is analyzed and processed according to MAC ACL.
Table 15-26 Configure MAC ACL to be applied to the port
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure MAC ACL to be applied to the port
|
mac access-group { access-list-number | access-list-name } { in | out| vfp }
|
Mandatory
By default, MAC ACL is not applied to the port.
|
-
If ACL applied to the port does not exist, all packets passing the port are permitted.
- The MAC ACL can only match the IPv4 packet, and cannot match other types of packets.
Configure IP ACL to Be Applied to VLAN
Apply IP ACL to the VLAN. The packet passing the port is analyzed and processed according to IP ACL.
Table 15-27 Configure IP ACL to be applied to VLAN
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the VLAN configuration mode
|
vlan vlan-id
|
-
|
|
Configure IP ACL to be applied to VLAN
|
ip access-group { access-list-number | access-list-name } { in | out | vfp }
|
Mandatory
By default, VLAN is not applied to IP ACL.
|
-
If ACL applied to the VLAN does not exist, all packets passing the VLAN are permitted.
Configure IP ACL to Be Applied Globally
Apply IP ACL globally. The packets passing all ports are analyzed and processed according to IP ACL.
Table 15-28 Configure IP ACL to be applied globally
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Configure IP ACL to be applied globally
|
global ip access-group { access-list-number | access-list-name } in
|
Mandatory
By default, IP ACL is not applied globally.
|
-
If the ACL applied globally does not exist and all ports are not configured with ACL, all packets passing the port are permitted.
Configure Hybrid ACL to Be Applied Globally
Apply Hybrid ACL globally. The packets passing all ports are analyzed and processed according to Hybrid ACL.
Table 15-29 Configure Hybrid ACL to be applied globally
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Configure Hybrid ACL to be applied globally
|
global hybrid access-group { access-list-number | access-list-name } in
|
Mandatory
By default, Hybrid ACL is not applied globally.
|
-
If the ACL applied globally does not exist and all ports are not configured with ACL, all packets passing all ports are permitted.
- When configuring Hybrid ACL to be applied globally, the global IP Source Guard function needs to be disabled.
Configure IP ACL to Be Applied to an Interface
Apply IP ACL to an interface. The packet passing the port is analyzed and processed according to IP ACL.
Table 15-30 Configure IP ACL to be applied to the interface
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the interface configuration mode
|
interface interface-name
|
-
|
|
Configure IP ACL to be applied to the interface
|
ip access-group { access-list-number | access-list-name } { in | out | self }
|
Mandatory
By default, IP ACL is not applied to the interface.
|
-
If the ACL applied to the interface does not exist, all packets passing the interface are permitted.
Configure MAC ACL to Be Applied to an Interface
Apply MAC ACL to an interface. The packet passing the port is analyzed and processed according to MAC ACL.
Table 15-31 Configure MAC ACL to be applied to the interface
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the interface configuration mode
|
interface interface-name
|
-
|
|
Configure MAC ACL to be applied to the interface
|
mac access-group { access-list-number | access-list-name } { in | out }
|
Mandatory
By default, MAC ACL is not applied to the interface.
|
-
If the ACL applied to the interface does not exist, all packets passing the interface are permitted.
Configure IPv6 ACL to Be Applied to a Port
Apply IPv6 ACL to a port. The packet passing the port is analyzed and processed according to IPv6 ACL.
Table 15-32 Configure IPv6 ACL to be applied to a port
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
link-aggregation link-aggregation-id
|
|
Configure IPv6 ACL to be applied to a port
|
ipv6 access-group { access-list-number | access-list-name } { in | out }
|
Mandatory
By default, IPv6 ACL is not applied to the port.
|
-
If the ACL applied to the port does not exist, all packets passing the port are permitted.
Configure IPv6 ACL to Be Applied to an Interface
Apply IPv6 ACL to an interface. The packet passing the interface is analyzed and processed according to IPv6 ACL.
Table 15-33 Configure IPv6 ACL to be applied to an interface
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the interface configuration mode
|
interface interface-name
|
-
|
|
Apply IPv6 ACL to an interface
|
ipv6 access-group { access-list-number | access-list-name } { in | out }
|
Mandatory
By default, IPv6 ACL is not applied to the interface.
|
-
If the ACL applied to the interface does not exist, all packets passing the interface are permitted.
Switch
.png){kind=icon}
.png){kind=logo}
