Administrator Guide
Layer 2 Switching Commands 276
User Guidelines
The Global Configuration mode command configures the ACL on all
physical and LAG interfaces, whereas the interface mode command does so
for the interface.
If the access-list specified in the command does not exist, an error is given.
The ACLs in the access-group are configured in hardware when the interface
becomes active. Resource contention issues will only become apparent at that
time. It is recommended that ACLs be configured on an active interface as a
check prior to deployment in the network.
The optional control-plane keyword allows application of an ACL on the CPU
port. Control-plane match actions occur in the egress direction. System level
rules are applied on ingress, after application of any user defined ingress rules,
therefore, it is not possible to rate limit packets matching the system defined
rules with an ACL having a control-plane target. Use the rate-limit cpu
command to reduce the effects of low priority traffic on the switch CPU.
An implicit deny-all rule is added after the end of the last access group in each
direction (in or out).
Examples
console(config)#ip access-group aclname in
console(config)#no ip access-group aclname in
console(config)#ip access-group aclname1 out
console(config)#interface te1/0/1
console(config-if-Te1/0/1)#ip access-group aclname out 2
console(config-if-Te1/0/1)#no ip access-group aclname out
mac access-group
Use the mac access-group command in Global Configuration or Interface
Configuration mode to attach a specific MAC Access Control List (ACL) to
an interface.
Syntax
mac access-group
name
[in | out | control-plane]
[
sequence
]
no mac access-group
name
•
name
— Name of the existing MAC access list. (Range: 1-31 characters)
2CSNXXX_SWUM204.book Page 276 Monday, January 25, 2016 1:25 PM