apply access-list (to interface VLAN)

Syntax

apply access-list {ip|ipv6} <ACL-NAME> routed-in

no apply access-list {ip|ipv6} <ACL-NAME> routed-in

Description

Applies an ACL to the interface VLAN (or range of interface VLANs) identified by the current interface VLAN context. Using the apply access-list command on an interface VLAN interface with an already-applied ACL of the same type will replace the currently-applied ACL.

The no form of this command removes application of the ACL from the interface VLAN (or range of interface VLANs) identified by the current interface VLAN context.

Command context

config-if-vlan

Parameters

ip|ipv6

Specifies the ACL type: ip for IPv4, ipv6 for IPv6.

<ACL-NAME>

Specifies the ACL name.

routed-in

Selects the routed inbound (routed ingress) traffic direction.

Authority

Administrators or local user group members with execution rights for this command.

Usage

  • Each ACL of a given type can be applied to the same interface VLAN once. Therefore, using the apply access-list command on an interface VLAN with an already-applied ACL of the same type, will replace the applied ACL.

  • When an ACL is applied to an interface VLAN, it will create hardware entries on all line cards regardless of whether an interface VLAN member exists on any specific line card.

Examples

Creating an IPv4 ACL and applying it to routed ingress traffic on interface VLAN vlan100:

switch(config)# access-list ip test
switch(config-acl-ip)# 10 permit any 1.1.1.2 2.2.2.2 count
switch(config-acl-ip)# 20 permit any 1.1.1.2 2.2.2.1 count
switch(config-acl-ip)# 30 permit any 2.2.2.2 1.1.1.2 count
switch(config-acl-ip)# 40 permit any 2.2.2.2 1.1.1.1 count
switch(config-acl-ip)# 50 permit any any any count
switch(config-acl-ip)# exit
switch(config)#
switch(config)# interface vlan100
switch(config-if-vlan)# apply access-list ip test routed-in
Applying My_ip_ACL to routed ingress traffic on interface VLAN 10:
switch(config)# interface vlan 10
switch(config-if-vlan)# apply access-list ip My_ip_ACL routed-in
Applying My_ipv6_ACL to routed ingress traffic on interface VLAN 10:
switch(config)# interface vlan 10
switch(config-if-vlan)# apply access-list ipv6 My_ip_ACL routed-in
Applying My_ip_ACL to routed ingress traffic on interface VLANs 20 to 25:
switch(config)# interface vlan 20-25
switch(config-if-vlan-<20-25>)# apply access-list ip My_ip_ACL routed-in
Replacing My_ipv6_ACL with My_Replacement_ACL on interface VLAN 10 (following the above examples):
switch(config)# interface vlan 10
switch(config-if-vlan)# apply access-list ipv6 My_Replacement_ACL routed-in
Removing (unapplying) My_Replacement_ACL on interface VLAN 10. Any other interfaces or VLANs with My_Replacement_ACL applied are not affected:
switch(config)# interface vlan 10
switch(config-if-vlan)# no apply access-list ipv6 My_Replacement_ACL routed-in
Removing (unapplying) My_ip_ACL on interface VLANs 20 to 25. Any other interfaces or VLANs with My_ip_ACL applied are not affected:
switch(config)# interface vlan 20-25
switch(config-if-vlan-<20-25>)# no apply access-list ip My_ip_ACL routed-in