This section details three types of ACLs:
The S- and K-Series firmware supports configuration of standard, extended, and policy L3 ACLs and L2 ACLs. Standard L3 ACLs allow the packet source IP address to be configured, while extended and policy L3 ACLs allow both source and destination IP addresses, protocol and TCP or UDP port matching, as well as the optional specifying of a DSCP, ToS, or IP precedence value. Policy ACLs differ from extended ACLs in that a set DSCP parameter, specific to policy ACLs, must be specified when using a policy ACL. L3 ACLs are also used to match addresses or traffic by client applications such as route map (for policy-based routing and route redistribution), IP Directed Broadcast, and in the case of the S-Series platform, NAT.
ACLs can be applied to VRF access groups to provide a more granular control of traffic between VRFs.
One IPv4 and one IPv6 standard or extended ACL inbound to each VRF and one IPv4 and one IPv6 standard or extended ACL outbound from each VRF can be applied.
A single IPv4 policy ACL can be applied at the global configuration level for each VRF.