MAC ACL configuration guidelines
The following guidelines are for all ACLs:
- An ACL name can be up to 63 characters
long, and must begin with a–z, A–Z or 0–9. You can also use underscore (_) or
hyphen (-) in an ACL name, but not as the first character.
- On any given device, an ACL name must
be unique among all ACL types (MAC/IPv4/IPv6, standard or extended).
- The order of the rules in an ACL is critical. The first rule that matches the
traffic stops further processing of the rules. For example, following a
permit match, subsequent deny or
hard-drop rules do not override the
permit.
- When you create an ACL rule, you have
the option of specifying the rule sequence number. If you create a rule without
a sequence number, it is automatically assigned a sequence number incremented
above the previous last rule.
- To modify an ACL rule, delete it and
then replace it with a rule of the same seq number.
- You can apply a maximum of five ACLs to
a user interface, as follows:
- One ingress MAC ACL—if the
interface is in switchport mode
- One egress MAC ACL—if the
interface is in switchport mode
- One ingress IPv4 ACL
- One egress IPv4 ACL
- One ingress IPv6 ACL
(All supported devices) The following additional guidelines are relevant for Layer 2
ACLs:
- There is an implicit Layer 2 deny rule
programmed in the CAM. This rule denies streams that do not match any of the
configured rules in the ACL.
- You can apply a specific ACL to one or more
interfaces, for ingress or egress, or for both.
(Extreme 8820, SLX 9740, SLX 9640, and SLX 9540 devices) The following additional guidelines are relevant for
Layer 2 ACLs:
- The hard drop keyword is equivalent to the
deny keyword.
- In ingress Layer 2 ACLs,
deny and hard-drop rules affect protocol
packets.
- In egress Layer 2 ACLs,
deny and hard-drop rules do not affect
protocol packets.
(Extreme 8720, Extreme 8520, SLX 9150, and SLX 9250 devices) The following additional
guidelines are relevant for Layer 2 ACLs:
- A deny match does not drop control protocol or MY IP packets .
- A hard-drop match drops all packets, including control protocol and MY IP
packets.
- Layer 2 ACLs applied on VLANs do not affect tunnel-terminated packets.
