ACL Groups
Assigning ACL Groups to a Port
© Copyright Lenovo 2017
To assist in organizing multiple ACLs and assigning them to ports, you can place
ACLs into ACL Groups, thereby defining complex traffic profiles. ACLs and ACL
Groups can then be assigned on a per‐port basis. Any specific ACL can be assigned
to multiple ACL Groups, and any ACL or ACL Group can be assigned to multiple
ports. If, as part of multiple ACL Groups, a specific ACL is assigned to a port
multiple times, only one instance is used. The redundant entries are ignored.
Individual ACLs
The CN4093 supports up to 256 ACLs. Each ACL defines one filter rule for
matching traffic criteria. Each filter rule can also include an action (permit or
deny the packet). For example:
ACL 1:
VLAN = 1
SIP = 10.10.10.1 (255.255.255.0)
Action = permit
Access Control List Groups
An Access Control List Group (ACL Group) is a collection of ACLs. For
example:
ACL Group 1
ACL 1:
VLAN = 1
SIP = 10.10.10.1 (255.255.255.0)
Action = permit
ACL 2:
VLAN = 2
SIP = 10.10.10.2 (255.255.255.0)
Action = deny
ACL 3:
Priority = 7
DIP = 10.10.10.3 (255.255.255.0)
Action = permit
ACL Groups organize ACLs into traffic profiles that can be more easily assigned
to ports. The CN4093 supports up to 256 ACL Groups.
Note: ACL Groups are used for convenience in assigning multiple ACLs to ports.
ACL Groups have no effect on the order in which ACLs are applied (see "ACL
Order of Precedence" on page
individually assigned or part of an ACL Group) are considered as individual ACLs
for the purposes of determining their order of precedence.
To assign an ACL Group to a port, use the following commands:
CN 4093(config)# interface port <port number>
CN 4093(config-if)# access-control group <ACL group number>
CN 4093(config-if)# exit
124). All ACLs assigned to the port (whether
Chapter 7: Access Control Lists
125