apply access-list
Syntax
apply access-list {ip|ipv6|mac} <ACL-NAME> {in|out}
no apply access-list {ip|ipv6|mac} <ACL-NAME> {in|out}
Description
Applies an ACL to a switch interface. Individual front plane ports or Link Aggregation Groups (LAGs) are valid interfaces for an ACL application.
The
no
form of this command removes ACLs from the specified interface.
Command context
config-if
config-lag-if
Parameters
ip|ipv6|mac
Applies an ACL of type:
ip
for IPv4,ipv6
for IPv6 ormac
for MAC ACL.<ACL-NAME>
Specifies the name of the applicable ACL.
in|out
Selects
in
to apply the ACL to inbound (ingress) traffic orout
to apply the ACL to outbound (egress) traffic. IPv6 and MAC ACLs can only be applied to inbound traffic.
Authority
Administrators
Usage
Only one direction (for example, inbound) and type (for example, IPv4) of ACL may be applied to an interface at a time, thus using the
apply access-list
command on an interface with an already-applied ACL of the same direction and type will replace the currently applied ACL.An ACL can be applied to an individual front plane port or to a Link Aggregation Group (LAG).
A port that is a member of a LAG with an applied ACL cannot have a different ACL applied to that member port.
When the port membership of a LAG with an applied ACL is changed, the LAG ACL is automatically applied or removed from that port depending on the modification type.
No ACLs (including ACLs for IPv4, IPv6, and MAC) are supported in egress on the Layer 2 interface. Egress ACLs can only be applied to Layer 3 (route-only) interfaces. Applying an egress ACL to a Layer 2 interface results in an error.
Examples
Applying MY_IP_ACL to ingress traffic on LAG 100 and apply to egress traffic on interface 1/1/2:
switch(config)# interface lag 100 switch(config-lag-if)# apply access-list ip MY_IP_ACL in switch(config-lag-if)# exit switch(config)# interface 1/1/2 switch(config-if)# apply access-list ip MY_IP_ACL out switch(config-if)# exit switch(config)#
Applying MY_IPV6_ACL to ingress traffic on interface 1/1/1 and apply to ingress traffic on LAG 100:
switch(config)# interface 1/1/1 switch(config-if)# apply access-list ipv6 MY_IPV6_ACL in switch(config-if)# exit switch(config)# interface lag 100 switch(config-lag-if)# apply access-list ipv6 MY_IPV6_ACL in switch(config-lag-if)# exit switch(config)#
switch(config)# interface 1/1/1 switch(config-if)# apply access-list mac MY_MAC_ACL in switch(config-if)# exit switch(config)# interface 1/1/2 switch(config-if)# apply access-list mac MY_MAC_ACL in switch(config-if)# exit switch(config)#
switch(config)# interface 1/1/2 switch(config-if)# apply access-list ip MY_REPLACEMENT_ACL out switch(config-if)# exit switch(config)#
switch(config)# interface 1/1/2 switch(config-if)# no apply access-list ip MY_REPLACEMENT_ACL out switch(config-if)# exit switch(config)#