Applying rACLs to devices

Use this procedure for applying IPv4 and IPv6 receive-path ACLs (rACLs) at global configuration level, using the { ip | ipv6 } receive access-group command.

(IPv4 rACLs only) Note the destination parameters in the rules contained in the ACL that you are applying:

To filter only unicast, routed route-processor traffic, in the rules contained in the ACL that you apply with this command, specify any for the destination parameter.
To filter all traffic (switched, routed, unicast, multicast, router-processor, and data-plane), specify a destination IP address,

Enter configure terminal to change to global configuration mode.
```
device# configure terminal
```
Enter the { ip | ipv6 } receive access-group command, specifying the ACL that you are applying.
```
device(config)# ip receive access-group ipv4-receive-acl-example
```
(For multiple rACLs) To specify processing order, enter the { ip | ipv6 } receive access-group command with the sequence option.
```
device(config)# ipv6 receive access-group test-racl-v6-2 seq 20
```

Example

The following example creates an IPv4 ACL, defines rules needed for an rACL, and applies the ACL to the device.

device# configure terminal
device(config)# ip access-list extended ipv4-receive-acl-example
device(conf-ipacl-ext)# hard-drop tcp host 10.0.0.1 any count
device(conf-ipacl-ext)# hard-drop udp any host 20.0.0.1 count
device(conf-ipacl-ext)# permit tcp host 10.0.0.2 any eq telnet count
device(conf-ipacl-ext)# permit tcp host 10.0.0.2 any eq bgp count
device(conf-ipacl-ext)# exit
device(config)# ip receive access-group ipv4-receive-acl-example

Example

The following example creates an IPv6 ACL, defines rules needed for an rACL, and applies the ACL to the device.

device# configure terminal
device(config)# ipv6 access-list extended ipv6-receive-acl-example
device(conf-ipacl-ext)# deny tcp host 10::1 any count
device(conf-ipacl-ext)# deny udp any host 20::1 count
device(conf-ipacl-ext)# permit tcp host 10::2 any eq telnet count
device(conf-ipacl-ext)# permit tcp host 10::2 any eq bgp count
device(conf-ipacl-ext)# exit
device(config)# ipv6 receive access-group ipv6-receive-acl-example

Example

The following example creates two IPv4 extended ACLs, defines rules in the ACLs, and applies them as receive-path ACLs—specifying the priority of each ACL.

device#configure terminal
device(config)# ip access-list extended test-racl-1
device(conf-ipacl-ext)# deny ip 2.2.2.2/32 1.1.1.1/32
device(config)# ip access-list extended test-racl-2
device(conf-ipacl-ext)# permit ip 2.2.2.2/32 any
device(conf-ipacl-ext)# exit

device(config)#ip receive access-group test-racl-1 seq 10
device(config)#ip receive access-group test-racl-2 seq 20