Using

Adding or removing an ACL assignment on an interface

Filtering routed IPv4 traffic

For a given VLAN interface on a switch configured for routing, you can assign an ACL as an RACL to filter inbound IPv4 traffic and another ACL as a RACL to filter outbound IPv4 traffic. You can also assign one ACL for both inbound and outbound RACLs, and for assignment to multiple VLANs. For limits and operating rules, see IPv4 ACL configuration and operating rules.

Syntax

[no] vlan <vid> ip access-group <identifier> <in out>

where: <identifier> =either a ACL name or an ACL ID number.

Assigns an ACL to a VLAN as an RACL to filter routed IPv4 traffic entering or leaving the switch on that VLAN. You can use either the global configuration level or the VLAN context level to assign or remove an RACL.

Note: The switch allows you to assign a nonexistent ACL name or number to a VLAN. In this case, if you subsequently configure an ACL with that name or number, it automatically becomes active on the assigned VLAN. Also, if you delete an assigned ACL from the switch without subsequently using the "no" form of this command to remove the assignment to a VLAN, the ACL assignment remains and automatically activates any new ACL you create with the same identifier (name or number).

Methods for enabling and disabling RACLs

Filtering IPv4 traffic inbound on a VLAN

For a given VLAN interface, you can assign an ACL as a VACL to filter any IPv4 traffic entering the switch on that VLAN. You can also use the same ACL for assignment to multiple VLANs. For limits and operating rules, see IPv4 ACL configuration and operating rules.

Syntax

[no] vlan <vid> ip access-group <identifier> vlan

where: <identifier> =either a ACL name or an ACL ID number.

Assigns an ACL as a VACL to a VLAN to filter any IPv4 traffic entering the switch on that VLAN. You can use either the global configuration level or the VLAN context level to assign or remove a VACL.


[NOTE: ]

NOTE: The switch allows for assigning a nonexistent ACL name or number to a VLAN. In this case, if you subsequently configure an ACL with that name or number, it automatically becomes active on the assigned VLAN. Also, if deleting an assigned ACL from the switch without subsequently using the "no" form of this command to remove its assignment to a VLAN, the ACL assignment remains and automatically activates any new ACL created with the same identifier (name or number).


Methods for enabling and disabling VACLs

Methods for enabling and disabling VACLs

Filtering inbound IPv4 traffic per port

For a given port, port list, or static port trunk, you can assign an ACL as a static port ACL to filter any IPv4 traffic entering the switch on that interface. You can also use the same ACL for assignment to multiple interfaces. For limits and operating rules, see IPv4 ACL configuration and operating rules.

Syntax

[no] interface <port-list | Trkx> ip access-group <identifier> in

where: <identifier> =either a ACL name or an ACL ID number.

Assigns an ACL as a static port ACL to a port, port list, or static trunk to filter any IPv4 traffic entering the switch on that interface. You can use either the global configuration level or the interface context level to assign or remove a static port ACL.


[NOTE: ]

NOTE: The switch allows you to assign a nonexistent ACL name or number to an interface. In this case, if you subsequently configure an ACL with that name or number, it automatically becomes active on the assigned interface. Also, if you delete an assigned ACL from the switch without subsequently using the "no" form of this command to remove the assignment to an interface, the ACL assignment remains and automatically activates any new ACL you create with the same identifier (name or number).


Methods for enabling and disabling ACLs

Methods for enabling and disabling ACLs

Classifier-based rate-limiting with RL-PACLs


[NOTE: ]

NOTE: Beginning with software release K.14.01 this feature has been deprecated in favor of a classifier-based rate-limiting feature that does not use ACLs. If it is already configured in a switch running software version K.13.xx, then downloading and booting from release K.14.01 or greater automatically modifies the deprecated configuration to conform to the classifier-based rate-limiting supported in release K.14.01 or greater. For more information on this topic, see "Classifier-Based Software Configuration" in the advanced traffic management guide for your switch.


Creating ACLs

Use either the switch CLI or an offline text editor to create an ACL. The CLI method is recommended for creating short ACLs.

Using the CLI to create an ACL

Inserting or adding an ACE to an ACL

These rules apply to all IPv4 ACEs you create or edit using the CLI:

  • Named IPv4 ACLs:

Add an ACE to the end of a named ACE by using the ip access-list command to enter the Named ACL ( nacl) context and entering the ACE without the sequence number.

For example, if you wanted to add a "permit" ACL at the end of a list named "List-1" to allow traffic from the device at 10.10.10.100:

switch(config)# ip access-list standard List-1

switch(config-std-nacl)# permit host 10.10.10.100

Insert an ACE anywhere in a named ACL by specifying a sequence number. For example, if you wanted to insert a new ACE as line 15 between lines 10 and 20 in an existing ACL named "List-2" to deny IPv4 traffic from the device at 10.10.10.77:

switch(config)# ip access-list standard List-2

switch(config-std-nacl)# 15 deny host 10.10.10.77

  • Numbered IPv4 ACLs

Add an ACE to the end of a numbered ACL by using the access-list <1 - 99 | [100 - 199>] command.

For example, if you wanted to add a "permit" ACE at the end of a list identified with the number "11" to allow IPv4 traffic from the device at 10.10.10.100:

switch(config)# access-list 11 permit host 10.10.10.100

To insert an ACE anywhere in a numbered ACL, use the same process as described above for inserting an ACE anywhere in a named ACL. For example, to insert an ACE denying IPv4 traffic from the host at 10.10.10.77 as line 52 in an existing ACL identified (named) with the number 11:

switch(config)# ip access-list standard 99

switch(config-std-nacl)# 52 deny host 10.10.10.77

  • Duplicate ACEs are not allowed in the same ACL. Attempting to enter a duplicate ACE displays the Duplicate access control entry message.


[NOTE: ]

NOTE: After a numbered ACL has been created (using access-list 1-99 | 100-199), it can be managed as either a named or numbered ACL.


Deleting an ACE

Deleting an ACE: Enter the ACL context and delete the sequence number for the unwanted ACE. (To view the sequence numbers of the ACEs in a list, use show access-list <acl-name-str> config.)

Duplicating an ACE

Duplicate ACEs are not allowed in the same ACL. Attempting to enter a duplicate ACE displays the Duplicate access control entry message.

Creating or editing an ACL offline

The section titled Editing an existing ACL describes how to use the CLI to edit an ACL, and is most applicable in cases where the ACL is short or there is only a minor editing task to perform. The offline method provides an alternative to using the CLI for creating or extensively editing a large ACL. This section describes how to:

  • move an existing ACL to a TFTP server

  • use a text (.txt) file format to create a new ACL or edit an existing ACL offline

  • use TFTP to load an offline ACL into the switch’s running-config

For longer ACLs that may be difficult or time-consuming to accurately create or edit in the CLI, you can use the offline method described in this section.


[NOTE: ]

NOTE: Beginning with software release K_12_XX or later, copy commands that used either tftp or xmodem, also include an option to use usb as a source or destination device for file transfers. So although the following example highlights tftp, bear in mind that xmodem or usb can also be used to transfer ACLs to and from the switch.


  1. Begin by doing one of the following:

    • To edit one or more existing ACLs, use copy command—output tftp to copy the current version of the ACL configuration to a file in your TFTP server. For example, to copy the ACL configuration to a file named acl-02.txt in the TFTP directory on a server at 10.28.227.2:

      switch# copy command-output 'show access-list config' tftp 10.28.227.2 acl02.txt pc
      
    • To create a new ACL, just open a text (.txt) file in the appropriate directory on a TFTP server accessible to the switch.

  2. Use a text editor to create or edit the ACLs in the *.txt ASCII file format.

    If you are replacing an ACL on the switch with a new ACL that uses the same number or name syntax, begin the command file with a no ip access-list command to remove the earlier version of the ACL from the switch running-config file. Otherwise, the switch appends the new ACEs in the ACL you download to the existing ACL.

    For example, if you planned to use the copy command to replace ACL "List-120", place this command at the beginning of the edited file:

    no ip access-list extended List-120

    An offline ACL file designed to replace an existing ACL

  3. Use copy tftp command-file to download the file as a list of commands to the switch.

Example

Suppose you want to create an extended ACL for an RACL application to fulfill the following requirements (Assume a subnet mask of 255.255.255.0 and a TFTP server at 10.10.10.1.):

  • ID: "LIST-20-IN"

  • Deny Telnet access to a server at 10.10.10.100 on VLAN 10 from these three addresses on VLAN 20 with ACL logging:

    • 10.10.20.17

    • 10.10.20.23

    • 10.10.20.40

  • Allow any access to the server from all other addresses on VLAN 20:

  • Permit internet access to these two address on VLAN 20, but deny access to all other addresses on VLAN 20 (without ACL logging).

    • 10.10.20.98

    • 10.10.20.21

  • Deny all other IPv4 traffic from VLAN 20 to VLAN 10.

  • Deny all IPv4 traffic from VLAN 30 (10.10.30.0) to the server at 10.10.10.100 on VLAN 10 (without ACL logging), but allow any other IPv4 traffic from VLAN 30 to VLAN 10.

  • Deny all other inbound IPv4 traffic to VLAN 20. (Hint: The Implicit Deny can achieve this objective.)

  1. Create a .txt file with the content shown in the following figure.

    A .txt file designed for creating an ACL

  2. After copying the above .txt file to a TFTP server the switch can access, execute the following command:

    copy tftp command-file 10.10.10.1 LIST-20-IN.txt pc

    In this example, the CLI shows the following output to indicate that the ACL was successfully downloaded to the switch:


    [NOTE: ]

    NOTE: If a transport error occurs, the switch does not execute the command and the ACL is not configured.


    Using copy tftp command-file to configure an ACL in the switch

  3. In this example, the command to assign the ACL to a VLAN was included in the .txt command file. If this is not done in your applications, the next step is to manually assign the new ACL to the intended VLAN.

    vlan <vid> ip access-group <identifier> in

  4. Use the show run or show access-list config command to inspect the switch configuration to ensure that the ACL was properly downloaded.

    Verifying the .txt file download to the switch

  5. If the configuration appears satisfactory, save it to the startup-config file:

    switch(config)# write memory
    

Deleting an ACL

Syntax

no ip access-list standard <name-str 1-99>

no ip access-list extended name-str | 100-199

no access-list 1-99 | 100-199

Removes the specified ACL from the switch running-config file.


[NOTE: ]

NOTE: If an ACL name is assigned to an interface before the ACL itself has actually been created, then the switch creates an "empty" version of the ACL in the running configuration and assigns the empty ACL to the interface. Subsequently populating the empty ACL with explicit ACEs causes the switch to automatically activate the ACEs as they are created and to implement the implicit deny at the end of the ACL.


Deleting an ACL from the running configuration while the ACL is currently assigned on an interface results in an "empty" version of the ACL in the running configuration and on the interface. Subsequently removing the ACL from the interface also removes the empty ACL from the running configuration.

If you need to remove an ACL identifier assignment on an interface, see Adding or removing an ACL assignment on an interface

Inserting an ACE in an existing ACL

This action uses a sequence number to specify where to insert a new ACE into an existing sequence of ACLs.

Syntax

ip access-list <standard | extended> <name-str | 1 - 99 | 100 - 199>

<1-2147483647> permit | deny <standard-acl-ip-criteria> [ log ]

<1-2147483647> permit | deny <extented-acl-ip-criteria> [ option ]

The first command enters the "Named-ACL" context for the specified ACL. The remaining two commands insert a new ACE in a standard or extended ACL, respectively.

Entering an ACE that would result in an out-of-range sequence number is not allowed. Use the resequence command to free up ACE numbering availability in the ACL. See Resequencing the ACEs in an ACL.

To insert a new ACE between existing ACEs in a list:

  1. Use ip access-list to enter the "Named-ACL" (nacl) context of the ACE. This applies regardless of whether the ACE was originally created as a numbered ACL or a named ACL.

  2. Begin the ACE command with a sequence number that identifies the position you want the ACE to occupy. (The sequence number range is 1-2147483647).

  3. Complete the ACE with the command syntax appropriate for thetype of ACL you are editing.

For example, inserting a new ACE between the ACEs numbered 10 and 20 requires a sequence number in the range of 11-19 for the new ACE.

Inserting an ACE in an existing ACL

In the following example, the first two ACEs entered become lines 10 and 20 in the list. The third ACE entered is configured with a sequence number of 15 and is inserted between lines 10 and 20.

Inserting an ACE into an existing sequence

Deleting an ACE from an existing ACL

This action uses ACL sequence numbers to delete ACEs from an ACL.

Syntax

ip access-list extended standard | extended name-str | 100-199

no <seq-#>

The first command enters the "Named-ACL" context for the specified ACL. The no command deletes the ACE corresponding to the sequence number entered.

Range: 1 - 2147483647

  1. To find the sequence number of the ACE you want to delete, use show run or show access-list 1-99 | 100-199 to view the ACL.

  2. Use ip access-list to enter the "Named-ACL" (nacl) context of the ACE. This applies regardless of whether the ACE was originally created as a numbered ACL or a named ACL.

  3. In the "Named-ACL" context, type no and enter the sequence number of the ACE you want to delete.

Deleting an ACE from any ACL

Resequencing the ACEs in an ACL

This action reconfigures the starting sequence number for ACEs in an ACL, and resets the numeric interval between sequence numbers for ACEs configured in the ACL.

Syntax

ip access-list resequence <name-str | 1 – 99 | 100 – 199>

<starting-seq-#> <interval>

Resets the sequence numbers for all ACEs in the ACL.

<starting– seq-#>

Specifies the sequence number for the first ACE in the list. (Default: 10; Range: 1 – 2147483647)

<interval>

Specifies the interval between sequence numbers for the ACEs in the list. (Default: 10; Range: 1 - 2147483647)

  1. To view the current sequence numbering in an ACE, use either command:

    show run
    show access-list <name-str 1 - 99 100-199>

  2. Use the command syntax (above) to change the sequence numbering.

This example resequences the "My-List" ACL at the bottom of figure so that the list begins with line 100 and uses a sequence interval of 100.

Viewing and resequencing an ACL

Viewing and resequencing an ACL

Attaching a remark to an ACE

A remark is numbered in the same way as an ACE, and uses the same sequence number as the ACE to which it refers. This operation requires that the remark for a given ACE be entered prior to entering the ACE itself.

Syntax

access-list <1 - 99 | 100 - 199> remark <remark-str>

This syntax appends a remark to the end of a numbered ACL and automatically assigns a sequence number to the remark. The next command entry should be the ACE to which the remark belongs. (The new ACE is automatically numbered with the same sequence number as that used for the preceding remark.)

Syntax

ip access-list <standard | extended> <name-str | 1-99 | 100-199> [ seq-#] remark <remark-str>

no <seq-#> remark

This syntax applies to both named and numbered ACLs. Without an optional sequence number, the remark is appended to the end of the list and automatically assigned a sequence number. When entered with an optional sequence number, the remark is inserted in the list according to the numeric precedence of the sequence number. The no form of the command deletes the indicated remark, but does not affect the related ACE.

To associate a remark with a specific ACE, enter the remark first, and then enter the ACE.

  • Entering a remark without a sequence number and then entering an ACE without a sequence number results in the two entries being automatically paired with the same sequence number and appended to the end of the current ACL.

  • Entering a remark with a sequence number and then entering an ACE with the same sequence number results in the two entries being paired together and positioned in the list according to the sequence number they share.


[NOTE: ]

NOTE: After a numbered ACL has been created (using access-list 1-99 | 100-199), it can be managed as either a named or numbered ACL. For example, in an existing ACL with a numeric identifier of "115", either of the following command sets adds an ACE denying IPv4 traffic from any source to a host at 10.10.10.100:

switch(config)# access-list 115 deny ip host 10.10.10.100
switch(config)# ip access-list extended 115
switch(config-ext-nacl)# deny ip any 10.10.10.100

Appending remarks and related ACEs to the end of an ACL

To include a remark for an ACE that is appended to the end of the current ACL, enter the remark first, then enter the related ACE. This results in the remark and the subsequent ACE having the same sequence number. For example, to add remarks using the "Named-ACL" (nacl) context:

Appending a remark and its related ACE to the end of an ACL

Appending a remark and its related ACE to the end of an ACL

You can also perform the operation illustrated in Appending a remark and its related ACE to the end of an ACL by using the numbered, access-list

<1-99 | 100-199>

syntax shown at the beginning of this section.

See Operating notes for remarks, for more details.

Inserting remarks and related ACEs within an existing list

To insert an ACE with a remark within an ACL by specifying a sequence number, insert the numbered remark first, then, using the same sequence number, insert the ACE. This operation applies only to ACLs accessed using the "Named-ACL" (nacl) context.

Inserting remarks

Inserting a remark for an ACE that already exists in an ACL

If a sequence number is already assigned to an ACE in a list, you cannot insert a remark by assigning it to the same number. (To configure a remark with the same number as a given ACE, the remark must be configured first.) To assign a remark to the same number as an existing ACE:

  1. Delete the ACE.

  2. Configure the remark with the number you want assigned to the pair.

  3. Re-Enter the deleted ACE with the number used to enter the remark.

Removing a remark from an existing ACE

If you want to remove a remark, but want to retain the ACE, do the following:

  1. Use the Named ACL context to enter the ACL.

  2. Using show run or show access-list <list-name> config, note the sequence number and content of the ACE having a remark you want to remove.

  3. Delete the ACE.

  4. Using the same sequence number, re-enter the ACE.

Enable ACL “Deny” or “Permit” Logging

ACL logging enables the switch to generate a message when IP traffic meets the criteria for a match with an ACE that results in an explicit “deny” or “permit” action. You can use ACL logging to help:

  • Test your network to ensure that your ACL configuration is detecting and denying or permitting the IPv4 traffic you do not want forwarded.

  • Receive notification when the switch detects attempts to forward IPv4 traffic you have designed your ACLs to reject (deny) or allow (permit.)

The switch sends ACL messages to and optionally to the current console, Telnet, or SSH session. You can use logging <> to configure up to six server destinations.

Requirements for using ACL Logging

  • The switch configuration must include an ACL (1) assigned to a port, trunk, or static VLAN interface and (2) containing an ACE configured with the deny or permit action and the log option.

  • If the RACL application is used, then IPv4 routing must be enabled on the switch.

  • For ACL logging to a server:

    • The server must be accessible to the switch and identified in the running configuration.

    • The logging facility must be enabled for.

    • Debug must be configured to:

      • support ACL messages

      • send debug messages to the desired debug destination

For more information, see Enabling ACL logging on the switch.

ACL Logging Operation

When the switch detects a packet match with an ACE and the ACE includes either the deny or permit action, and the optional log parameter, an ACL log message is sent to the designated debug destination.

The first time a packet matches an ACE with deny or permit and log configured, the message is sent immediately to the destination and the switch starts a wait period of approximately five minutes. (The exact duration of the period depends on how the packets are internally routed.) At the end of the collection period, the switch sends a single-line summary of any additional “deny” or “permit” matches for that ACE (and any other “deny” or “permit” ACEs for which the switch detected a match).

If no further log messages are generated in the wait-period, the switch suspends the timer and resets itself to send a message as soon as a new “deny” or “permit” match occurs. If subsequent packets matching the already logged ACL entries are detected, then a new logged event is generated that summarizes the number of packets that matched each specific entry (with the time period). The data in the message includes the information illustrated in the following figure.

Content of a message generated by an ACL-Deny action

Enabling ACL logging on the switch

  1. If you are using a Syslog server, use the logging <ip-addr> command to configure the Syslog server IPv4 address. Ensure that the switch can access any Syslog server you specify.

  2. Use logging facility syslog to enable the logging for Syslog operation.

  3. Use the debug destination command to configure one or more log destinations. Destination options include logging and session. For more information, see the management and configuration guide for your switch.

  4. Use debug acl or debug all to configure the debug operation to include ACL messages.

  5. Configure one or more ACLs with the deny action and the log option.

Example

Suppose you want to configure the following operation:

  • On VLAN 10 configure an extended ACL with an ACL-ID of "NO-TELNET" and use the RACL in option to deny Telnet traffic entering the switch from 10.10.10.3 to any routed destination. Note: This assignment does not filter Telnet traffic from 10.10.10.3 to destinations on VLAN 10 itself.

  • Configure the switch to send an ACL log message to the current console session and to a Syslog server at 10.10.20.3 on VLAN 20 if the switch detects a packet match denying a Telnet attempt from 10.10.10.3.

This example assumes that IPv4 routing is already configured on the switch.

ACL log application

Commands for applying an ACL with logging to ACL log application

Monitoring static ACL performance

ACL statistics counters provide a means for monitoring ACL performance by using counters to display the current number of matches the switch has detected for each ACE in an ACL assigned to a switch interface. This can help in determining whether a particular traffic type is being filtered by the intended ACE in an assigned list, or if traffic from a particular device or network is being filtered as intended.


[NOTE: ]

NOTE: This section describes the command for monitoring static ACL performance. To monitor RADIUS-assigned ACL performance, use either of the following commands:

show access-list radius <all port-list>

show port-access <authenticator mac-based web-based> clients <port-list> detailed

See Show RADIUS-assigned ACL activity.


Syntax

<show clear> statistics

aclv4 <acl-name-str> port <port-#> aclv4 acl-name-strvlan vid <in out vlan>

aclv6 <acl-name-str> port <port-#> aclv6 <acl-name-str> vlan <vid> <in [out] vlan>

Displays the current match (hit ) count per ACE for the specified IPv6 or IPv4 static ACL assignment on a specific interface.

show

Displays the current match (hit) count per ACE for the specified IPv6 or IPv4 static ACL assignment on a specific interface.

clear

Resets ACE hit counters to zero for the specified IPv6 or IPv4 static ACL assignment on a specific interface.

Total

This column lists the running total of the matches the switch has detected for the ACEs in an applied ACL since the ACL's counters were last reset to 0 (zero)

IPv6 and IPv4 ACL activity

ACL performance monitoring

The following figures show a sample of performance monitoring output for an IPv6 ACL assigned as a VACL.

IPv6 ACL performance monitoring output

IPv6 ACL performance monitoring output

IPv4 ACL assigned as a VACL performance monitoring output

IPv4 ACL assigned as a VACL performance monitoring output

ACE counter operation

For a given ACE in an assigned ACL, the counter increments by 1 each time the switch detects a packet that matches the criteria in that ACE, and maintains a running total of the matches since the last counter reset. For example, in ACL line 10 below, there has been a total of 37 matches on the ACE since the last time the ACL’s counters were reset.

Total ( 37) 10 permit icmp ::/0 fe80::20:2/128 128

[NOTE: ]

NOTE: This ACL monitoring feature does not include hits on the “implicit deny” that is included at the end of all ACLs.


Resetting ACE Hit counters to zero

Using the clear statistics command:

  • Removing an ACL from an interface zeros the ACL’s ACE counters for that interface only.

  • For a given ACL, either of the following actions clear the ACE counters to zero for all interfaces to which the ACL is assigned.

    • adding or removing a permit or deny ACE in the ACL

    • rebooting the switch

Resetting ACE hit counters to Zero

The following example uses the previously shown counter activity to demonstrate using clear statistics to reset the counters to zero.

IPv6 ACL performance monitoring output after zero

Using IPv6 counters with multiple interface assignments

Where the same IPv6 ACL is assigned to multiple interfaces, the switch maintains a separate instance of each ACE counter in the ACL. When there is a match with traffic on one of the ACL's assigned interfaces, only the affected ACE counters for that interface are incremented. Other instances of the same ACL applied to other interfaces are not affected.


[NOTE: ]

NOTE: These examples of counters use small values to help illustrate counter operation. The counters in real-time network applications are generally much more active and show higher values.


For example, suppose that:

  • An ACL named "V6-01" is configured as shown in ACL "V6-01" and command for PACL assignment on port B2 to block Telnet access to a workstation at FE80::20:2, which is connected to a port belonging to VLAN 20.

  • The ACL is assigned as a PACL (port ACL) on port B2, which is also a member of VLAN 20:

ACL "V6-01" and command for PACL assignment on port B2

Application to filter traffic inbound on port B2

Using the topology in Application to filter traffic inbound on port B2, a workstation at FE80::20:117 on port B2 attempting to ping and Telnet to the workstation at FE80::20:2 is filtered through the PACL instance of the "V6-01" ACL assigned to port B2, resulting in the following:

Ping and telnet from FE80::20:117 to FE80::20:2 filtered by the assignment of "V6-01" as a PACL on port B2

Resulting ACE hits on ACL "V6-01"


[NOTE: ]

NOTE: IPv4 ACE counters assigned as RACLs operate differently than described above. For more information, see Using IPv4 counters with multiple interface assignments .


Using IPv4 counters with multiple interface assignments

Where the same IPv4 ACL is assigned to multiple interfaces as a VLAN ACL (VACL) or port ACL (PACL), the switch maintains a separate instance of ACE counters for each interface assignment. Thus, when there is a match with traffic on one of the ACL's VACL- or PACL -assigned interfaces, only the ACE counter in the affected instance of the ACL is incremented. However, if an ACL has multiple assignments as an RACL, then a match with an ACE in any RACL instance of the ACL increments that same counter on all RACL-assigned instances of that ACL. (The ACE counters for VACL and PACL instances of an ACL are not affected by counter activity in RACL instances of the same ACL.)

For example, suppose that an IPv4 ACL named "Test-1" is configured to block Telnet access to a server at 10.10.20.12 on VLAN 20, and that the Test-1 ACL is assigned to VLANs as follows:

  • VLAN 20: VACL

  • VLAN 50: RACL

  • VLAN 70: RACL

ACL "Test-1" and interface assignment commands

Using the same ACL for VACL and RACL applications

In the above case:

  • Matches with ACEs 10 or 20 that originate on VLAN 20 increment only the counters for the instances of these two ACEs in the Test-1 VACL assignment on VLAN 20. The same counters in the instances of ACL Test-1 assigned to VLANs 50 and 70 are not be incremented.

  • Any Telnet requests to 10.10.20.12 that originate on VLANs 50 or 70 are filtered by instances of Test-1 assigned as RACLs, and increment the counters for ACE 10 on both RACL instances of the Test-1 ACL.

Using the network in Access Granted page, a device at 10.10.20.4 on VLAN 20 attempting to ping and Telnet to 10.10.20.12 is filtered through the VACL instance of the "Test-1" ACL on VLAN 20 and results in the following:

Ping and telnet from 10.10.20.4 to 10.10.20.2 filtered by the assignment of "Test-1" as a VACL on VLAN 20

Resulting ACE hits on ACL "Test-1"

However, using a device at 10.10.30.11 on VLAN 50 for attempts to ping and Telnet to 10.10.20.12 requires routing, and filters the attempts through the RACL instance of the "Test-1" ACL on VLAN 50.

Ping and telnet from 10.10.30.11 to 10.10.20.2 filtered by the assignment of "Test-1" as a RACL on VLAN 30

This action has an identical effect on the counters in all RACL instances of the "Test-1" ACL configured and assigned to interfaces on the same switch. In this example, it means that the RACL assignments of "Test-1" on VLANs 50 and 70 are incremented by the above action occurring on VLAN 50.

Resulting ACE hits on the VLAN 30 RACL assignment of the "Test-1" ACL

Resulting ACE hits on the VLAN 70 RACL assignment of the "Test-1" ACL

Note that the ACE counters for the VACL assignment of the "Test-1" ACL on VLAN 20 are not affected by ACE hits on the RACL assignments of the same ACL.