Multiple ACLs on an interface

The switch allows multiple ACL applications on an interface (subject to internal resource availability). This means that a port belonging to a given VLAN "X" can simultaneously be subject to all the following:

Table 12: Per-interface multiple ACL assignments

ACL type

ACL application

Dynamic (RADIUS-assigned) ACLs

One port-based ACL (for first client to authenticate on the port) or up to 32 user-based ACLs (one per authenticated client) Note: If one or more user-based dynamic ACLs are assigned to a port, then the only traffic allowed inbound on the port is from authenticated clients.

IPv6 static ACLs:

One static VACL for IPv6 traffic for VLAN "X" entering the switch through the port. One static port ACL for IPv6 traffic entering the switch on the port. One inbound and one outbound RACL filtering routed IPv6 traffic moving through the port for VLAN "X". (Also applies to inbound, switched traffic on VLAN "X" that has a destination on the switch itself.

IPv4 static ACLs:

One static VACL for IPv4 traffic for VLAN "X" entering the switch through the port.

One static port ACL for any IPv4 traffic entering the switch on the port.

One connection-rate ACL for inbound IPv4 traffic for VLAN "X" on the port (if the port is configured for connection-rate filtering). See Virus throttling (connection-rate filtering).

One inbound and one outbound RACL filtering routed IPv4 traffic moving through the port for VLAN "X". This also applies to inbound, switched traffic on VLAN "X" that has a destination on the switch itself.

NOTE:

In cases where an RACL and any type of port or VLAN ACL are filtering traffic entering the switch, the switched traffic explicitly permitted by the port or VLAN ACL is not filtered by the RACL, except where the traffic has a destination on the switch itself. However, routed traffic explicitly permitted by the port or VLAN ACL (and any switched traffic having a destination on the switch itself) must also be explicitly permitted by the RACL, or it is dropped.

A switched packet is unaffected by an outbound RACL assigned to the VLAN on which the packet exits the switch.

For information on traffic mirroring, see "Monitoring and Analyzing Switch Operation" in the management and configuration guide for your switch.