Table 7-2. L2 and L3 ACL Filtering on Switched Packets
L2 ACL Behavior
Permit
Permit
Note: If an interface is configured as a vlan-stack access port, the packets are filtered by an L2 ACL only.
The L3 ACL applied to such a port does not affect traffic. That is, existing rules for other features (such as
trace-list, PBR, and QoS) are applied accordingly to the permitted traffic.
For information on MAC ACLs, refer to
Assign an IP ACL to an Interface
Ingress IP ACLs are supported on platforms:
Ingress and Egress IP ACLs are supported on platform:
To pass traffic through a configured IP ACL, you must assign that ACL to a physical interface, a port
channel interface, or a VLAN. The IP ACL is applied to all traffic entering a physical or port channel
interface and the traffic is either forwarded or dropped depending on the criteria and actions specified in
the ACL.
The same ACL may be applied to different interfaces and that changes its functionality. For example, you
can take ACL "ABCD", and apply it using the
apply the same ACL using the
the loopback interface, it becomes a loopback access list.
This chapter covers the following topics:
•
Configuring Ingress ACLs
•
Configuring Egress ACLs
•
Configuring ACLs to Loopback
For more information on Layer-3 interfaces, refer to Interfaces.
To apply an IP ACL (standard or extended) to a physical or port channel interface, use these commands in
the following sequence in the INTERFACE mode:
Step
Command Syntax
1
interface interface slot/port
2
ip address
ip-address
L3 ACL Behavior
Deny
Permit
Layer
keyword, it becomes an egress access list. If you apply the same ACL to
out
Command Mode
CONFIGURATION
INTERFACE
Decision on Targeted Traffic
Denied by L3 ACL
Permitted by L3 ACL
2.
c
e
s
and
keyword and it becomes an ingress access list. If you
in
Purpose
Enter the interface number.
Configure an IP address for the interface, placing
it in Layer-3 mode.
Access Control Lists (ACLs) | 117