apply access-list (to VLAN)

Syntax

apply access-list {ip|ipv6|mac} <ACL-NAME> {in|out}

no apply access-list {ip|ipv6|mac} <ACL-NAME> {in|out}

Description

Applies an ACL to the VLAN identified by the current VLAN context.

The no form of this command removes application of the ACL from the VLAN identified by the current VLAN context.

Command context

config-vlan

Parameters

ip|ipv6|mac

Specifies the ACL type: ip for IPv4, ipv6 for IPv6, or mac for MAC ACL.

<ACL-NAME>

Specifies the ACL name.

in

Selects the inbound (ingress) traffic direction.

out

Selects the outbound (egress) traffic direction.

Authority

Administrators or local user group members with execution rights for this command.

Usage

  • Each ACL of a given type can be applied to the same VLAN once in each direction. Therefore, using the apply access-list command on a VLAN with an already-applied ACL of the same type, will replace the applied ACL.

  • When an ACL is applied to a VLAN, it will create hardware entries on all stack members (6300 switch) and line cards (6400 switch) regardless of whether a VLAN member exists on any specific stack member or line card.

  • 6300 Switch Series (standalone): If during switch reboot, an ACL fails to be applied to a VLAN, all the ports will be shut down. To recover from the failure, resolve the misconfiguration and then restart the switch using the boot command. Modifying the configuration will not cause the ports to come back up.

  • 6300 Switch Series (stacked): If during hotswap or switch reboot, an ACL fails to be applied to a VLAN, the failed stack member will shut down all its ports. To recover from the failure, resolve the misconfiguration and then restart the stack member using the vsf member command. Modifying the configuration will not cause the ports to come back up.

  • 6400 Switch Series: If during hotswap or switch reboot, an ACL fails to be applied to a VLAN, the failed line card will shut down all its ports. To recover from the failure, restart the line card using the module command. If the 6400 has no line card installed, the switch must be restarted. Modifying the VLAN or ACL configuration will not cause the line card to be restarted.

Examples

Applying My_ip_ACL to ingress traffic on VLAN range 20 to 25:

switch(config)# vlan 20-25
switch(config-vlan-<20-25>)# apply access-list ip My_ip_ACL in
switch(config-vlan-<20-25>)# exit
switch(config)#
Applying My_ip_ACL to egress traffic on VLAN range 40 to 50:
switch(config)# vlan 40-50
switch(config-vlan-<40-50>)# apply access-list ip My_ip_ACL out
switch(config-vlan-<40-50>)# exit
switch(config)#

Applying My_ip_ACL to ingress traffic on VLAN 10.:

switch(config)# vlan 10
switch(config-vlan-10)# apply access-list ip My_ip_ACL in
switch(config-vlan-10)# exit
switch(config)#

Applying My_ipv6_ACL to ingress traffic on VLAN 10:

switch(config)# vlan 10
switch(config-vlan-10)# apply access-list ipv6 My_ipv6_ACL in
switch(config-vlan-10)# exit
switch(config)#

Applying My_mac_ACL to ingress traffic on VLAN 10:

switch(config)# vlan 10
switch(config-vlan-10)# apply access-list mac My_mac_ACL in
switch(config-vlan-10)# exit
switch(config)#

Replacing My_ipv6_ACL with My_Replacement_ACL on VLAN 10 (following the preceding examples):

switch(config)# vlan 10
switch(config-vlan-10)# apply access-list ipv6 My_Replacement_ACL in
switch(config-vlan-10)# exit
switch(config)#

Removing (unapplying) several ACLs on VLAN 10:

switch(config)# vlan 10
switch(config-vlan-10)# no apply access-list ipv6 My_Replacement_ACL in
switch(config-vlan-10)# no apply access-list mac My_mac_ACL in
switch(config-vlan-10)# exit
switch(config)#