Configuring Layer 2 And Layer 3 Acls On An Interface; Assign An Ip Acl To An Interface - Dell Force10 MXL Blade Configuration Manual

Configuring Layer 2 and Layer 3 ACLs on an Interface

You can configure both Layer 2 and Layer 3 ACLs on an interface in Layer 2 mode. If both L2 and L3
ACLs are applied to an interface, the following rules apply:
• The packets routed by FTOS are governed by the L3 ACL only because they are not filtered against an
L2 ACL.
• The packets switched by FTOS are first filtered by the L3 ACL, then by the L2 ACL.
• When packets are switched by FTOS, the egress L3 ACL does not filter the packet.
For the following features, if you enable counters on rules that have already been configured and a new
rule is either inserted or prepended, all the existing counters are reset:
• L2 Ingress Access list
• L3 Egress Access list
• L2 Egress Access list
• L3 Ingress Access list
If a rule is simply appended, existing counters are not affected.
Table 5-1. L2 and L3 ACL Filtering on Switched Packets
L2 ACL Behavior
Deny
Deny
Permit
Permit
Note: If an interface is configured as a " vlan-stack access " port, the packets are filtered by an L2 ACL
only. The L3 ACL applied to such a port does not affect traffic. That is, existing rules for other features
(such as trace-list, PBR, and QoS) are applied accordingly to the permitted traffic.
For information on MAC ACLs, refer to

Assign an IP ACL to an Interface

To pass traffic through a configured IP ACL, you must assign that ACL to a physical interface, a port
channel interface, or a VLAN. The IP ACL is applied to all traffic entering a physical or port channel
interface and the traffic is either forwarded or dropped depending on the criteria and actions specified in
the ACL.
L3 ACL Behavior
Deny
Permit
Deny
Permit
Layer 2 on page
Decision on Targeted Traffic
Denied by L3 ACL
Permitted by L3 ACL
Denied by L3 ACL
Permitted by L3 ACL
305.
Access Control Lists (ACLs) | 81