ACL application
ACLs can be applied as follows:
ACL type
Direction |
IPv4
In |
IPv4
Out |
IPv6
In |
MAC
In |
---|---|---|---|---|
L2 interface (port) | Yes | Yes | Yes | |
L2 LAG | Yes | Yes | Yes | |
L3 interface (port) | Yes | Yes | Yes | Yes |
L3 LAG | Yes | Yes | Yes | Yes |
VLAN | Yes | Yes | Yes | |
Management interface | Yes | Yes | ||
Control plane (per VRF) | Yes | Yes |
NOTE:
Egress ACLs can only be applied to L3 (route-only) interfaces. Applying an egress ACL to an L2 interface will result in an error. Only ingress ACLs (ipv4, ipv6, and MAC) can be applied to VLANs. Applying an egress ACL to VLAN will result in an error.
NOTE:
The following match criteria are not supported. If any of these match criteria are attempted to be configured, an error message will be displayed and the action will not be completed.
TCP flags CWR and ECE TCP flags and TTL (hop limit) on IPv6 ACLs TCP flags and fragment on outbound ACLs Fragment on IPv6 VLAN ACLs VLAN ID on VLAN ACLs
NOTE:
To apply IPv4 and/or IPv6 ACLs to the management interface, apply them to the control plane on the management VRF.