A filtering domain template can be the collection of L3 fields (Layer 3
Field) and L4 fields (Layer 4 Field) or the collection of multiple L2 fields
(Layer 2 Field). However, the filtering domain templates of a standard
and extended ACL cannot be the collection of L2 and L3, L2 and 4, L2
and L3, or L4 fields. To user the combination of L2, L3 and L4 fields, it
is possible to apply the Expert ACLs.
When associating SVI with the ACL at the outbounding direction, you
should note that:
1 The ACL at the outbounding direction is of higher priority than the
one at the inbounding direction.
2 The default deny any any command is not available.
3 Standard IP ACL, extended IP ACL, extended AMC ACL and
expert ACL are supported.
4 There are some limits on matching the destination IP address and
the destination MAC address in an ACL. When you configure to
match the destination MAC address in an extended MAC ACL or
expert ACL and then apply this ACL to the outbounding direction
of SVI, the entry will be set, but will not take effect. If you need to
match the destination IP address not in the subnet IP range of the
associated SVI in the standard IP ACL, extended IP ACL or expert
ACL, this ACL will not take effect. For example, VLAN 1’s IP
address is 192.168.64.1 255.255.255.0. Now you create an ACL
with the ACE of deny udp any 192.168.65.1 0.0.0.255 eq 255
and apply this ACL at the egress of VLAN 1. This ACL will not
function for the destination IP address is not in the subnet IP
range of VLAN 1. If the ACE is deny udp any 192.168.64.1
0.0.0.255 eq 255, this ACL will take effect.
5 If a member interface of a SVI is served for routing rather than
directly connected to PC, the ACL at the outbounding direction of
the SVI does not take effect for the packets that are outputted
from this member interface.
6 Associating the ACL at the outbounding direction to the routed
port and L3 AP is not supported.
To Next Page
Loading...
