Applying L3 and L2 ACLs

Once you have defined an ACL, the L3 standard and extended ACL can be applied per routing interface, the policy ACL can be applied to the VRF configuration mode, and the L2 ACL can be applied per VLAN interface. An ACL can be applied before it is created, but has no affect. The association of the name of the L2 or L3 standard or extended ACL or number of the L3 standard or extended ACL to the host or interface is persistent. The association of the name or number to a policy ACL does not persist. You can use standard or extended ACLs to filter traffic on individual interfaces, with a directional context (inbound, outbound, or both).

Use the ip access-group command to apply an IPv4 access list, the ipv6 access-group command to apply an IPv6 access-list, or the l2 access-group command to apply a L2 access list to an interface, in interface configuration command mode, specifying the access list name, or in the case of L3 ACLs the number, followed by the directional context to which this ACL will be applied.

Use the ip policy-access-list command to apply an IPv4 policy access list to a VRF, specifying the access list name or number.

Use the ip host-access command for an IPv4 access-list and the ipv6 host-access command for an IPv6 access-list in configuration command mode, specifying the access-list number or name, to apply an ACL to host services for this device.

Use the show access-lists applied to display access-lists that have been applied to an interface.

The following example applies the extended ACL 121 to both the inbound and outbound direction on VLAN 2.

System(su-config)->interface vlan 2
System(su-config-intf-vlan.0.2)->ip access-group 121 in
System(su-config-intf-vlan.0.2)->ip access-group 121 out
System(su-config-intf-vlan.0.2)->show access-lists applied
Extended IP access list 121, applied inbound on interface 2  (5 entries)
Extended IP access list 121, applied outbound on interface 2  (5 entries)
System(su-config-intf-vlan.0.2)->

This example shows how to apply the standard access list acl10 for all inbound frames on VLAN 50. Based upon the definition of access list acl10, only frames with source fe80:0:0:0:21f:45ff:fe3d:21aa/64 are routed. All the frames with other sources received on VLAN 50 are dropped:

System(su-config)->ipv6 access-list standard acl10
System(su-cfg-ipv6-std-acl)->permit fe80:0:0:0:21f:45ff:fe3d:21aa/64 log
System(su-cfg-ipv6-std-acl)->exit
System(su-config)->interface vlan 50
System(su-config-intf-vlan.0.50)->ipv6 access-group acl10 in
System(su-config-intf-vlan.0.50)->

This example shows how to apply L2 ACL list1 for all inbound frames on VLAN 1:

System(rw-config)->interface vlan 1
System(rw-config-intf-vlan.0.1)->l2 access-group list1 in