KB.15.15

Figure 214 Application to filter traffic inbound on port B2

Using the topology in Figure 214 (page 299), a workstation at FE80::20:117 on port B2 attempting

to ping and Telnet to the workstation at FE80::20:2 is filtered through the PACL instance of the

"V6-01" ACL assigned to port B2, resulting in the following:

Figure 215 Ping and telnet from FE80::20:117 to FE80::20:2 filtered by the assignment of "V6-01"

as a PACL on port B2

Figure 216 Resulting ACE hits on ACL "V6-01"

NOTE: IPv4 ACE counters assigned as RACLs operate differently than described above. For more

information, see “Using IPv4 counters with multiple interface assignments ” (page 299).

Using IPv4 counters with multiple interface assignments

Where the same IPv4 ACL is assigned to multiple interfaces as a VLAN ACL (VACL) or port ACL

(PACL), the switch maintains a separate instance of ACE counters for each interface assignment.

Thus, when there is a match with traffic on one of the ACL's VACL- or PACL -assigned interfaces,

only the ACE counter in the affected instance of the ACL is incremented. However, if an ACL has

multiple assignments as an RACL, then a match with an ACE in any RACL instance of the ACL

increments that same counter on all RACL-assigned instances of that ACL. (The ACE counters for

VACL and PACL instances of an ACL are not affected by counter activity in RACL instances of the

same ACL.)

For example, suppose that an IPv4 ACL named "Test-1" is configured to block Telnet access to a

server at 10.10.20.12 on VLAN 20, and that the Test-1 ACL is assigned to VLANs as follows:

• VLAN 20: VACL

• VLAN 50: RACL

• VLAN 70: RACL

Using 299