Reference Guide
Assign sequence number to lter
OS10(config)# ip access-list acl1
OS10(conf-ipv4-acl)# seq 5 deny tcp any any capture session 1 count
View ACLs and packets processed through ACL
OS10# show ip access-lists in
Ingress IP access-list acl1
Active on interfaces :
ethernet1/1/5
seq 5 permit ip any any count (10000 packets)
L2 and L3 ACLs
Congure both L2 and L3 ACLs on an interface in L2 mode. Rules apply if you use both L2 and L3 ACLs on an interface.
• L3 ACL lters packets and then the L2 ACL lters packets
• Egress L3 ACL lters packets
Rules apply in order:
• Ingress L3 ACL
• Ingress L2 ACL
• Egress L3 ACL
• Egress L2 ACL
NOTE
: In ingress ACLs, L2 has higher priority than L3 and in egress ACLs, L3 has higher priority than L2.
Table 33. L2 and L3 targeted trac
L2 ACL / L3 ACL Targeted trac
Deny / Deny L3 ACL denies
Deny / Permit L3 ACL permits
Permit / Deny L3 ACL denies
Permit / Permit L3 ACL permits
Assign and apply ACL lters
To lter an Ethernet interface, a port-channel interface, or a VLAN, assign an IP ACL lter to a physical interface. The IP ACL applies to all
trac entering a physical or port-channel interface. The trac either forwards or drops depending on the criteria and actions you congure
in the ACL lter.
To change the ACL lter functionality, apply the same ACL lters to dierent interfaces. For example, take ACL “ABCD” and apply it using
the in keyword and it becomes an ingress ACL. If you apply the same ACL lter using the out keyword, it becomes an egress ACL.
You can apply an IP ACL lter to a physical or port-channel interface. The number of ACL lters allowed is hardware-dependent.
1 Enter the interface information in CONFIGURATION mode.
interface ethernet node/slot/port
2 Congure an IP address for the interface, placing it in L3 mode in INTERFACE mode.
ip address ip-address
3 Apply an IP ACL lter to trac entering or exiting an interface in INTERFACE mode.
ip access-group access-list-name {in | out}
Access Control Lists
597