Configuration Guide Configuring ACL
of L2 and L4 fields, or a combination of L2, L3, and L4 fields. To use a combination of L2
,
L3, and L4 fields, you can use
the expert ACLs.
An SVI associated with ACLs in the outgoing direction supports the IP standard, IP extended, MAC extended, and
expert ACLs.
If an MAC extended or expert ACL is configured to match the destination MAC address and is applied to the outgoing
direction of the SVI, the related ACE can be configured but cannot take effect. If an IP extended or expert ACL is
configured to match the destination IP address, but the destination IP address is not in the subnet IP address range of
the associated SVI, the configured ACL cannot take effect. For example, assume that the address of VLAN 1 is
192.168.64.1 255.255.255.0, an IP extended ACL is created, and the ACE is deny udp any 192.168.65.1 0.0.0.255 eq
255. If this ACL is applied to the outgoing interface of VLAN 1, the ACL cannot take effect because the destination IP
address is not in the subnet IP address range of VLAN 1. If the ACE is deny udp any 192.168.64.1 0.0.0.255 eq 255,
the ACL can take effect because the destination IP address is in the subnet IP address range of VLAN 1.
On a device, if ACLs are applied to the outgoing direction of a physical port or an aggregate port (AP), the ACLs can
filter only well-known packets (unicast or multicast packets), but not unknown unicast packets. That is, for unknown or
broadcast packets, ACLs configured in the outgoing direction of a port does not take effect.
If an expert ACL is configured and applied to the outgoing direction of an interface, and some ACEs in this ACL contain
the L3 matching information (e.g. the IP address and L4 port), non-IP packets sent to the device from this interface
cannot be controlled by the permit and deny ACEs in this ACL.
If ACEs of an ACL (IP ACL or expert extended ACL) are configured to match non-L2 fields (such as SIP and DIP), the
ACL does not take effect on tagged MPLS packets.
Overview
Control incoming or outgoing IPv4 packets of a device based on the L3 or L4 information in the IPv4
packet header.
Control incoming or outgoing L2 packets of a device based on the L2 information in the Ethernet
packet header.
Combine the IP ACL and MAC extended ACL into an expert extended ACL, which controls (permits
or denies) incoming or outgoing packets of a device using the same rule based on the L2, L3, and L4
information in the packet header.
Control incoming or outgoing IPv6 packets of a device based on the L3 or L4 information in the IPv6
packet header.
Allow packets to bypass the check of access control applications, such as DOT1X and Web
authentication, to meet requirements of some special scenarios.
To Next Page
Loading...
