Configuring ACLs on a Management Port

Hardware ACL support is not possible on the management port. Untagged packets that are received on the management port are processed in software and can be filtered using ACLs. ACLs applied to the management port/vlan are installed only in software and not in the hardware.

For example, to block an ICMP echo-request on a management port, use the following:

create access-list echo "protocol icmp; icmp-type echo-request;" "deny; count echo"
conf access-list add "echo" first vlan "Mgmt" ingress

To unblock ICMP echo request on a management port, use the following:

conf access-list del "echo" vlan "Mgmt"
del access-list "echo"

To show ACL dropped packet counters, use the following command:

show access-list dynamic counter