771
no entry will be created
Example:
Create an extensive IPv6 access list named “tcpFlow”.
Switch (Config)#ipv6 access-list extended tcpFlow
19.2.2.16 {ip|ipv6|mac|mac-ip} access-group
Command :{ip|ipv6|mac|mac-ip} access-group <name> {in|out}[traffic-statistic]
no {ip|mac|mac-ip}
access-group <name> {in|out}
Function:
Apply a access-list on some direction of port, and determine if ACL rule is
added statistic counter or not by options; the “no {ip|mac|mac-ip} access-group
command deletes access-list binding on the port.
Parameter: <name>
is the name for access list, the character string length is from 1 to
16
Command Mode:
Physical Interface Mode,Interface Mode
Default:
The exit and entry of port are not bound ACL.
Usage Guide:
One port can bind an entry rule and an exit rule; it only can include deny
rule when ACL is bound to exit. If it is a stack switch, it only can bind ACL on entry, not
exit.
The
standard, extended and nomenclature
of access-list can be bound to
physical port
of layer 3 switch, not binding ACL to layer interface or influx interface.
There are four kinds of package head field based on concerned: MAC ACL, IP CAL,
MAC-IP ACL, and IPv6 ACL; to some extent, ACL filter behavior (permit, deny) has a
conflict when a data package matches multi types of eight ACLs. The strict priorities are
specified for each ACL based on outcome veracity. It can determine final behavior of
package filter through priority when the filter behavior has a conflict.
When binding ACL to port, there are some limits as below:
1
.
Each port can bind a MAC-IP ACL, a IP ACL, a MAC ACL and a IPv6 ACL;
2
.
Each port exit can bind a MAC IP ACL, a IP ACL, MAC ACL and IPv6 ACL;
3
.
When binding 6 ACLs and data package matching the multi ACLs simultaneity,
the priority from high to low are shown as below,
Egress IPv6 ACL;
Egress MAC-IP ACL;
Egress MAC ACL;
Egress IP ACL;
Ingress IPv6 AC;
Ingress MAC-IP ACL;
Ingress MAC ACL;
Ingress IP ACL;
4
.
Egress ACL only can specify deny behavior;