apply access-list (to interface or LAG)

Syntax

apply access-list {ip|ipv6|mac}{in|out} no apply access-list {ip|ipv6|mac}{in|out}

Description

Applies an ACL to the interface (Individual front plane port) or Link Aggregation Group (LAG) identified by the current interface or LAG context.

Thenoform of this command removes application of the ACL from the current interface or LAG identified by the current interface or LAG context.

Command context

config-if

config-lag-if

Parameters

ip|ipv6|mac

Specifies the ACL type:ipfor IPv4,ipv6for IPv6, ormacfor MAC ACL.

Specifies the ACL name.

in|out

Selects the traffic direction on which the ACL is applied.

inselects the inbound (ingress) traffic direction.
outselects the outbound (egress) traffic direction. Only for IPv4 ACLs applied to route-only ports. Not available for ACLs applied to IPv4 bridged ports, IPv6 ports, or MAC ACLs applied to ports.

Authority

Administrators or local user group members with execution rights for this command.

Usage

Each ACL of a given type can be applied to the same interface or LAG once in each direction. Therefore, using theapply access-listcommand on an interface or LAG with an already-applied ACL of the same type and direction will replace the currently applied ACL.
An ACL can be applied to an individual front plane port or to a Link Aggregation Group (LAG).
A port that is a member of a LAG with an applied ACL cannot have a different ACL applied to that member port.
When the port membership of a LAG with an applied ACL is changed, the LAG ACL is automatically applied or removed from that port depending on the modification type.
No ACLs (including ACLs for IPv4, IPv6, and MAC) are supported in egress on the Layer 2 interface. Egress ACLs can only be applied to Layer 3 (route-only) interfaces. Applying an egress ACL to a Layer 2 interface results in an error.

Examples

Applying My_IP_ACL to ingress traffic on interface range 1/1/10 to 1/1/12:

switch(config)#int 1/1/10-1/1/12switch((config-if-<1/1/10-1/1/12>)#apply access-list ip My_IP_ACL inswitch((config-if-<1/1/10-1/1/12>)#exit

Applying MY_IP_ACL to ingress traffic on LAG 100 and apply to egress traffic on interface 1/1/2:

switch(config)#interface lag 100switch(config-lag-if)#apply access-list ip MY_IP_ACL inswitch(config-lag-if)#exitswitch(config)#interface 1/1/2switch(config-if)#apply access-list ip MY_IP_ACL outswitch(config-if)#exitswitch(config)#

Applying MY_IPV6_ACL to ingress traffic on interface 1/1/1 and apply to ingress traffic on LAG 100:

switch(config)#interface 1/1/1switch(config-if)#apply access-list ipv6 MY_IPV6_ACL inswitch(config-if)#exitswitch(config)#interface lag 100switch(config-lag-if)#apply access-list ipv6 MY_IPV6_ACL inswitch(config-lag-if)#exitswitch(config)#

Applying MY_MAC_ACL to ingress traffic on interface 1/1/1 and apply to ingress traffic on interface 1/1/2:

switch(config)#interface 1/1/1switch(config-if)#apply access-list mac MY_MAC_ACL inswitch(config-if)#exitswitch(config)#interface 1/1/2switch(config-if)#apply access-list mac MY_MAC_ACL inswitch(config-if)#exitswitch(config)#

取代MY_IP_ACL MY_REPLACEMENT_ACL interface 1/1/2:

switch(config)#interface 1/1/2switch(config-if)#apply access-list ip MY_REPLACEMENT_ACL outswitch(config-if)#exitswitch(config)#

UnapplyingMY_REPLACEMENT_ACLfrom interface 1/1/2 (out):

switch(config)#interface 1/1/2switch(config-if)#no apply access-list ip MY_REPLACEMENT_ACL outswitch(config-if)#exitswitch(config)#

apply access-list(to interface or LAG)