Reference Guide

Access Control Lists (ACLs) | 75

• When packets are switched by FTOS, the egress L3 ACL does not filter the packet.

For the following features, if counters are enabled on rules that have already been configured and a new

rule is either inserted or prepended, all the existing counters will be reset:

• L2 Ingress Access list

• L2 Egress Access list

If a rule is simply appended, existing counters are not affected.

For information on MAC ACLs, refer to Chapter 26, Layer 2.

Assign an IP ACL to an Interface

Ingress IP ACLs are supported on platforms: s z

Ingress and Egress IP ACL are supported on platforms: z

To pass traffic through a configured IP ACL, you must assign that ACL to a physical interface, a port

channel interface, or a VLAN. The IP ACL is applied to all traffic entering a physical or port channel

interface and the traffic is either forwarded or dropped depending on the criteria and actions specified in

the ACL.

The same ACL may be applied to different interfaces and that changes its functionality. For example, you

can take ACL “ABCD” and apply it using the

in keyword and it becomes an ingress access list. If you

apply the same ACL using the

out keyword, it becomes an egress access list. If you apply the same ACL to

the loopback interface, it becomes a loopback access list.

This chapter covers the following topics:

• Configuring Ingress ACLs

• Configuring Egress ACLs

Table 6-1. L2 and L3 ACL Filtering on Switched Packets

L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic

Deny Deny Denied by L3 ACL

Deny Permit Permitted by L3 ACL

Permit Deny Denied by L3 ACL

Permit Permit Permitted by L3 ACL

Note: If an interface is configured as a “vlan-stack access” port, the packets are filtered by an L2 ACL only.

The L3 ACL applied to such a port does not affect traffic. That is, existing rules for other features (such as

trace-list, PBR, and QoS) are applied accordingly to the permitted traffic.