Configuring global and default actions for an ACL

Configure the default action to specify packet treatment if a packet does not match any ACE.

Configure the global action to specify packet treatment if a packet does match an ACE.

Global action can only be configured for Ingress ACLs.

Before you begin

  • The ACL exists.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Configure the global action for an ACL:

    filter acl set <acl-id> global-action [monitor-dst-ports {slot/port[/sub-port][-slot/port[/sub-port]][,...]}] [monitor-dst-mlt <1–512>]

  3. Configure an ACL to the default global action settings:

    default filter acl set <acl-id> global-action [monitor-dst-ports]

  4. Configure the default action for an ACL:

    filter acl set <acl-id> default-action <permit|deny>

  5. Configure an ACL to the default action settings:

    default filter acl set <acl-id> default-action

Variable definitions

Use the data in the following table to use the filter acl set commands.

Variable

Value

<acl-id>

Specifies the ACL ID. Use the CLI Help to see the available range for the switch.

default-action <deny|permit>

Specifies the default action to take when none of the ACEs match. Options are <deny|permit>. The default is permit.

monitor-dst-ports {slot/port[/sub-port] [-slot/port[/sub-port]] [,...]}

Specifies the global action to take for matching ACEs:

  • monitor destination ports—Configures mirroring to a destination port or ports.

Identifies the slot and port in one of the following formats: a single slot and port (slot/port), a range of slots and ports (slot/port-slot/port), or a series of slots and ports (slot/port,slot/port,slot/port). If the platform supports channelization and the port is channelized, you must also specify the sub-port in the format slot/port/sub-port.

monitor-dst-mlt <1–512>

Configures mirroring to a destination MLT in the range of 1 to 512.