apply access-list

Syntax

apply access-list {ip|ipv6|mac} <ACL-NAME> {in|out}

no apply access-list {ip|ipv6|mac} <ACL-NAME> {in|out}

Description

Applies an ACL to a switch interface. Individual front plane ports or Link Aggregation Groups (LAGs) are valid interfaces for an ACL application.

The no form of this command removes ACLs from the specified interface.

Command context

config-if

config-lag-if

Parameters

ip|ipv6|mac

Applies an ACL of type: ip for IPv4, ipv6 for IPv6 or mac for MAC ACL.

<ACL-NAME>

Specifies the name of the applicable ACL.

in|out

Selects in to apply the ACL to inbound (ingress) traffic or out to apply the ACL to outbound (egress) traffic. IPv6 and MAC ACLs can only be applied to inbound traffic.

Authority

Administrators

Usage

  • Only one direction (for example, inbound) and type (for example, IPv4) of ACL may be applied to an interface at a time, thus using the apply access-list command on an interface with an already-applied ACL of the same direction and type will replace the currently applied ACL.

  • An ACL can be applied to an individual front plane port or to a Link Aggregation Group (LAG).

  • A port that is a member of a LAG with an applied ACL cannot have a different ACL applied to that member port.

  • When the port membership of a LAG with an applied ACL is changed, the LAG ACL is automatically applied or removed from that port depending on the modification type.

  • No ACLs (including ACLs for IPv4, IPv6, and MAC) are supported in egress on the Layer 2 interface. Egress ACLs can only be applied to Layer 3 (route-only) interfaces. Applying an egress ACL to a Layer 2 interface results in an error.

Examples

Applying MY_IP_ACL to ingress traffic on LAG 100 and apply to egress traffic on interface 1/1/2:

switch(config)# interface lag 100
switch(config-lag-if)# apply access-list ip MY_IP_ACL in
switch(config-lag-if)# exit

switch(config)# interface 1/1/2
switch(config-if)# apply access-list ip MY_IP_ACL out
switch(config-if)# exit
switch(config)#

Applying MY_IPV6_ACL to ingress traffic on interface 1/1/1 and apply to ingress traffic on LAG 100:

switch(config)# interface 1/1/1
switch(config-if)# apply access-list ipv6 MY_IPV6_ACL in
switch(config-if)# exit

switch(config)# interface lag 100
switch(config-lag-if)# apply access-list ipv6 MY_IPV6_ACL in
switch(config-lag-if)# exit
switch(config)#
Applying MY_MAC_ACL to ingress traffic on interface 1/1/1 and apply to ingress traffic on interface 1/1/2:
switch(config)# interface 1/1/1
switch(config-if)# apply access-list mac MY_MAC_ACL in
switch(config-if)# exit

switch(config)# interface 1/1/2
switch(config-if)# apply access-list mac MY_MAC_ACL in
switch(config-if)# exit
switch(config)#
Replacing MY_IP_ACL with MY_REPLACEMENT_ACL on interface 1/1/2:
switch(config)# interface 1/1/2
switch(config-if)# apply access-list ip MY_REPLACEMENT_ACL out
switch(config-if)# exit
switch(config)#
Unapplying ACLs on interface 1/1/2 (following the previous examples, MY_IPV6_ACL, and MY_MAC_ACL remain applied to interface 1/1/1):
switch(config)# interface 1/1/2
switch(config-if)# no apply access-list ip MY_REPLACEMENT_ACL out
switch(config-if)# exit
switch(config)#