Chapter 59 vlan-acl configuration, 1 introduction to vlan-acl, 2 vlan-acl configuration task list – PLANET XGS3-24042 User Manual
Page 557: Chapter 59 vlan-acl configuration -1, Ntroduction to, Vlan-acl -1, Vlan-acl, Onfiguration
59-1
Chapter 59 VLAN-ACL Configuration
59.1 Introduction to VLAN-ACL
The user can configure ACL policy to VLAN to implement the accessing control of all ports in VLAN, and
VLAN-ACL enables the user to expediently manage the network. The user only needs to configure ACL policy
in VLAN, the corresponding ACL action can takes effect on all member ports of VLAN, but it does not need to
solely configure on each member port.
When VLAN ACL and Port ACL are configured at the same time, the principle of denying firstly is used. When
the packets match VLAN ACL and Port ACL at the same time, as long as one rule is drop, then the final action
is drop.
Egress ACL can implement the filtering of the packets on egress and ingress direction, the packets match the
specific rules can be allowed or denied. ACL can support IP ACL, MAC ACL, MAC-IP ACL, IPv6 ACL. Ingress
direction of VLAN can bind four kinds of ACL at the same time, there are four resources on egress direction of
VLAN, IP ACL and MAC ACL engage one resource severally, MAC-IP ACL and IPv6 ACL engage two
resources severally, so egress direction of VLAN can not bind four kinds of ACL at the same time. When
binding three kinds of ACL at the same time, it should be the types of IP, MAC, MAC-IP or IP, MAC, IPv6.
When binding two kinds of ACL at the same time, any combination of ACL type is valid. Each type can only
apply one on a VLAN.
59.2 VLAN-ACL Configuration Task List
1. Configure VLAN-ACL of IP type
2. Configure VLAN-ACL of MAC type
3. Configure VLAN-ACL of MAC-IP
4. Configure VLAN-ACL of IPv6 type
5. Show configuration and statistic information of VLAN-ACL
6. Clear statistic information of VLAN-ACL
1. Configure VLAN-ACL of IP type
Command
Explanation
Global mode
vacl ip access-group {<1-299> | WORD} {in
| out} [traffic-statistic] vlan WORD
no vacl ip access-group {<1-299> |
WORD} {in | out} vlan WORD
Configure or delete IP VLAN-ACL.