Configuration Guide Configuring ACL
11.3.6 SVI Router ACL
By default, an ACL that is applied to an SVI also takes effect on L2 packets forwarded within a VLAN and L3 packets
forwarded between VLANs. Consequently, users in the same VLAN may fail to communicate with each other. Therefore, a
switchover method is provided so that the ACL that is applied to an SVI takes effect only on routing packets between VLANs.
Working Principle
By default, the SVI router ACL function is disabled, and an SVI ACL takes effect on L3 packets forwarded between VLANs
and L2 packets forwarded within a VLAN. After the SVI router ACL function is enabled, the SVI ACL takes effect only on L3
packets forwarded between VLANs.
Related Configuration
 Configuring an ACL
Before configuring the SVI router ACL, configure and apply an ACL. For details about how to configure an ACL, see the
earlier descriptions about ACL configuration.
 Adding ACEs to an ACL
For details about how to add ACEs to an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, expert
extended ACL, or IPv6 ACL.
 Applying an ACL
For details about how to apply an ACL, see the earlier descriptions about the IP ACL, MAC extended ACL, expert extended
ACL, or IPv6 ACL. Apply the ACL in SVI configuration mode.
 Configuring the SVI Router ACL
Run the svi router-acls enable command in global configuration mode to enable the SVI router ACL so that the ACL that is
applied to an SVI takes effect only on packets forwarded at L3, and not on packets forwarded at L2 within a VLAN.
11.4 Configuration
(Optional) It is used to filter IPv4 packets.
Configures a standard IP ACL.
Configures an extended IP ACL.
permit host any time-range
Adds a permit ACE to a standard IP ACL.
Adds a deny ACE to a standard IP ACL.
permit host any host any tos dscp
precedence fragment time-range
Adds a permit ACE to an extended IP ACL.
To Next Page
Loading...
Need help?
General
