Configuring an access control list
Use an access control list (ACL) to specify an ordered list of access control entries (ACE), or filter rules. The ACEs provide specific actions for the filter to perform.
About this task
Do not configure IPv4 egress ACL filters on NNI ports because the system-generated egress vIST filter rules and the user-created IPv4 egress rules use the same filter hardware.
To modify an ACL parameter, double-click the parameter you wish to change. Change the value, and then click Apply. You cannot change a parameter that appears dimmed; in this case, delete the ACL, and then configure a new one.
Procedure
ACL field descriptions
Use the data in the following table to use the ACL tab.
Name |
Description |
---|---|
AclId |
Specifies a unique identifier for the ACL. |
Type |
Specifies the ACL type. Valid options are
Important:
The inVlan ACLs drop packets if you add a VLAN after ACE creation. Important:
You can insert an inVsn ACL type for a Switched UNI only if the Switched UNI I-SID is associated with a platform VLAN. |
Name |
Specifies a descriptive user-defined name for the ACL. |
VlanList |
For inVlan ACL types, specifies all VLANs to associate with the ACL. |
PortList |
For inPort and outPort ACL types, specifies the ports to associate with the ACL. |
DefaultAction |
Specifies the action taken when no ACEs in the ACL match. Valid options are deny and permit, with permit as the default. Deny means the system drops the packets; permit means the system forwards packets. |
ControlPktAction |
Specifies the action taken for control packets. Valid options are deny and permit. |
State |
Enables or disables all of the ACEs in the ACL. The default value is enable. |
PktType |
Indicates the packet type to which this ACL applies. |
MirrorMltId |
Configures mirroring to a destination MLT. |
MirrorDstPortList |
Configures mirroring to a destination port or ports. |
MatchType |
For inVsn ACL types, specifies the match type to associate with
the ACL. Valid options are:
|
Isid |
For inVsn ACL types, specifies the I-SID associated with the customer VLAN (Layer 2 VSN) or the customer VRF (Layer 3 VSN). This I-SID should already be configured on the fabric node. The InVSN Filter supports IP Shortcut traffic if the inVsn ACL match type is both. In this case, the I-SID is zero (0). Important:
You can specify a Switched UNI I-SID if the I-SID is associated with a platform VLAN. |
Origin |
Indicates the origin of the ACL:
|