Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure ACL Application

ACL can be applied globally, to VLAN, port and interface. IP ACL can be applied globally, VLAN, the ingress and egress of the port and interface; Hybrid ACL can only be applied globally; MAC ACL can be applied to the ingress and egress of the port and interface. IPv6 ACL can be applied to the port and interface.

If ACL is applied globally, filter all the ingress packets of the device port; if ACL is applied to VLAN, filter all ingress packets of the port in VLAN and the egress forwarding packets; if ACL is applied to the port, filter all ingress packets of the port and the egress forwarding packets; if ACL is applied to the interface, filter the L3 forwarding packets

ACL matching has the priority order. The priority from high to low is to be applied to the port, applied to the VLAN, and applied globally.

If the packet matches the ACL rule of applying to port, VLAN and globally at the same time, the packet whose high priority filter result is permit is forwarded to the next-priority ACL for filtering. The packet whose high priority filter result is deny is dropped directly and is not forwarded to the next-priority ACL for processing any more.

Configuration Condition

Before configuring the ACL application function, first complete the following task:

  • Configure ACL

Configure IP ACL to Be Applied to Port

Apply IP ACL to the port. The packet passing the port is analyzed and processed according to IP ACL.

Table 15-25 Configure IP ACL to be applied to the port

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2/L3 Ethernet interface configuration mode

interface interface-name

Either

After entering the L2/L3 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure applying IP ACL to the port

ip access-group { access-list-number | access-list-name } { in | out | vfp}

Mandatory

By default, IP ACL is not applied to the port.

note


  • If ACL applied to the port does not exist, all packets passing the port are permitted.

Configure MAC ACL to Be Applied to Port

Apply MAC ACL to the port. The packet passing the port is analyzed and processed according to MAC ACL.

Table 15-26 Configure MAC ACL to be applied to the port

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either

After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure MAC ACL to be applied to the port

mac access-group { access-list-number | access-list-name } { in | out| vfp }

Mandatory

By default, MAC ACL is not applied to the port.

note


  • If ACL applied to the port does not exist, all packets passing the port are permitted.
  • The MAC ACL can only match the IPv4 packet, and cannot match other types of packets.

Configure IP ACL to Be Applied to VLAN

Apply IP ACL to the VLAN. The packet passing the port is analyzed and processed according to IP ACL.

Table 15-27 Configure IP ACL to be applied to VLAN

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the VLAN configuration mode

vlan vlan-id

-

Configure IP ACL to be applied to VLAN

ip access-group { access-list-number | access-list-name } { in | out | vfp }

Mandatory

By default, VLAN is not applied to IP ACL.

note


  • If ACL applied to the VLAN does not exist, all packets passing the VLAN are permitted.

Configure IP ACL to Be Applied Globally

Apply IP ACL globally. The packets passing all ports are analyzed and processed according to IP ACL.

Table 15-28 Configure IP ACL to be applied globally

Step

Command

Description

Enter global configuration mode

configure terminal

-

Configure IP ACL to be applied globally

global ip access-group { access-list-number | access-list-name } in

Mandatory

By default, IP ACL is not applied globally.

note


  • If the ACL applied globally does not exist and all ports are not configured with ACL, all packets passing the port are permitted.

Configure Hybrid ACL to Be Applied Globally

Apply Hybrid ACL globally. The packets passing all ports are analyzed and processed according to Hybrid ACL.

Table 15-29 Configure Hybrid ACL to be applied globally

Step

Command

Description

Enter global configuration mode

configure terminal

-

Configure Hybrid ACL to be applied globally

global hybrid access-group { access-list-number | access-list-name } in

Mandatory

By default, Hybrid ACL is not applied globally.

note


  • If the ACL applied globally does not exist and all ports are not configured with ACL, all packets passing all ports are permitted.
  • When configuring Hybrid ACL to be applied globally, the global IP Source Guard function needs to be disabled.

Configure IP ACL to Be Applied to an Interface

Apply IP ACL to an interface. The packet passing the port is analyzed and processed according to IP ACL.

Table 15-30 Configure IP ACL to be applied to the interface

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the interface configuration mode

interface interface-name

-

Configure IP ACL to be applied to the interface

ip access-group { access-list-number | access-list-name } { in | out | self }

Mandatory

By default, IP ACL is not applied to the interface.

note


  • If the ACL applied to the interface does not exist, all packets passing the interface are permitted.

Configure MAC ACL to Be Applied to an Interface

Apply MAC ACL to an interface. The packet passing the port is analyzed and processed according to MAC ACL.

Table 15-31 Configure MAC ACL to be applied to the interface

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the interface configuration mode

interface interface-name

-

Configure MAC ACL to be applied to the interface

mac access-group { access-list-number | access-list-name } { in | out }

Mandatory

By default, MAC ACL is not applied to the interface.

note


  • If the ACL applied to the interface does not exist, all packets passing the interface are permitted.

Configure IPv6 ACL to Be Applied to a Port

Apply IPv6 ACL to a port. The packet passing the port is analyzed and processed according to IPv6 ACL.

Table 15-32 Configure IPv6 ACL to be applied to a port

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either

After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

link-aggregation link-aggregation-id

Configure IPv6 ACL to be applied to a port

ipv6 access-group { access-list-number | access-list-name } { in | out }

Mandatory

By default, IPv6 ACL is not applied to the port.

note


  • If the ACL applied to the port does not exist, all packets passing the port are permitted.

Configure IPv6 ACL to Be Applied to an Interface

Apply IPv6 ACL to an interface. The packet passing the interface is analyzed and processed according to IPv6 ACL.

Table 15-33 Configure IPv6 ACL to be applied to an interface

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the interface configuration mode

interface interface-name

-

Apply IPv6 ACL to an interface

ipv6 access-group { access-list-number | access-list-name } { in | out }

Mandatory

By default, IPv6 ACL is not applied to the interface.

note


  • If the ACL applied to the interface does not exist, all packets passing the interface are permitted.