MAC ACL configuration guidelines
We present configuration guidelines for all ACLs, then for Layer 2 (MAC) ACLs.
The following guidelines are for all ACLs:
- An ACL name can be up to 63 characters
long, and must begin with a–z, A–Z or 0–9. You can also use underscore (_) or
hyphen (-) in an ACL name, but not as the first character.
- On any given device, an ACL name must
be unique among all ACL types (MAC/IPv4/IPv6, standard or extended).
- The order of the rules in an ACL
is critical. The first rule that matches the traffic stops further processing of
the rules. For example, following a permit match,
subsequent deny or hard-drop rules do not override the permit.
- When you create an ACL rule, you have
the option of specifying the rule sequence number. If you create a rule without
a sequence number, it is automatically assigned a sequence number incremented
above the previous last rule.
- To modify an ACL rule, delete it and
then replace it with a rule of the same seq number.
- You can apply a maximum of five ACLs to
a user interface, as follows:
- One ingress MAC ACL—if the
interface is in switchport mode
- One egress MAC ACL—if the
interface is in switchport mode
- One ingress IPv4 ACL
- One egress IPv4 ACL
- One ingress IPv6 ACL
(All supported devices) The following additional
guidelines are relevant for Layer 2 ACLs:
- There is an implicit Layer 2 deny rule
programmed in the CAM. This rule denies streams that do not match any of the
configured rules in the ACL.
- You can apply a specific ACL to one or
more interfaces, for ingress or egress, or for both.
(
SLX 9540 and
SLX 9640 devices) The
following additional guidelines are relevant for Layer 2 ACLs:
- The hard drop keyword
is equivalent to the deny keyword.
- In ingress Layer 2 ACLs, deny and hard-drop rules
affect protocol packets.
- In egress Layer 2 ACLs, deny and hard-drop rules do
not affect protocol packets.
(
SLX 9150, and
SLX 9250
devices) The following additional guidelines are relevant for Layer 2 ACLs:
- A deny match does not drop
control protocol or MY IP packets .
- A hard-drop match drops all
packets, including control protocol and MY IP packets.
- Layer 2 ACLs applied on VLANs do
not affect tunnel-terminated packets.
