KB.15.15

Figure 244 Application to filter traffic inbound on port B2

Using the topology in Figure 244 (page 335), a workstation at FE80::20:117 on port B2 attempting

to ping and Telnet to the workstation at FE80::20:2 is filtered through the PACL instance of the

"V6-01" ACL assigned to port B2, resulting in the following:

Figure 245 Ping and telnet from FE80::20:117 to FE80::20:2 filtered by the assignment of "V6-01"

as a PACL on port B2

Figure 246 Resulting ACE hits on ACL "V6-01"

IPv4 Counter Operation with Multiple Interface Assignments

Where the same IPv4 ACL is assigned to multiple interfaces as a VLAN ACL (VACL) or port ACL

(PACL), the switch maintains a separate instance of ACE counters for each interface assignment.

Thus, when there is a match with traffic on one of the ACL's VACL- or PACL -assigned interfaces,

only the ACE counter in the affected instance of the ACL is incremented. However, if an ACL has

multiple assignments as an RACL, then a match with an ACE in any RACL instance of the ACL

increments that same counter on all RACL-assigned instances of that ACL. (The ACE counters for

VACL and PACL instances of an ACL are not affected by counter activity in RACL instances of the

same ACL.)

For example, suppose that an ACL named "Test-1" is configured as shown in Figure 247 (page 336)

to block Telnet access to a server at 10.10.20.12 on VLAN 20, and that the Test-1 ACL is assigned

to VLANs as follows:

• VLAN 20: VACL

• VLAN 50: RACL

• VLAN 70: RACL

Overview 335