ACL application

ACLs can be applied as follows:
ACL type

Direction

IPv4

In

IPv4

Out

IPv6

In

MAC

In

L2 interface (port) Yes   Yes Yes
L2 LAG Yes   Yes Yes
L3 interface (port) Yes Yes Yes Yes
L3 LAG Yes Yes Yes Yes
VLAN Yes   Yes Yes
Management interface Yes   Yes  
Control plane (per VRF) Yes   Yes  
NOTE:

Egress ACLs can only be applied to L3 (route-only) interfaces. Applying an egress ACL to an L2 interface will result in an error. Only ingress ACLs (ipv4, ipv6, and MAC) can be applied to VLANs. Applying an egress ACL to VLAN will result in an error.

NOTE:

The following match criteria are not supported. If any of these match criteria are attempted to be configured, an error message will be displayed and the action will not be completed.

TCP flags CWR and ECE
TCP flags and TTL (hop limit) on IPv6 ACLs
TCP flags and fragment on outbound ACLs
Fragment on IPv6 VLAN ACLs
VLAN ID on VLAN ACLs
NOTE:

To apply IPv4 and/or IPv6 ACLs to the management interface, apply them to the control plane on the management VRF.