Filter
Top Products
Device Security 113
Egress ACL Limitations
Egress ACLs have some additional limitations. The following limitations apply to egress ACLs only:
• Egress ACLs support IP Protocol/Destination, IP Address Source/Destination, L4 Source/Destination
port, IP DSCP, IP ToS, and IP precedence match conditions only.
• MAC ACLs are not supported in the egress direction.
• Egress ACLs only support Permit/Deny Action. Logging, mirroring and redirect action are not
supported.
• Only one Egress ACL can be applied on an interface. The ACL can have multiple rules to classify flows
and apply permit/deny action.
• If the Egress ACLs have "over-lapping" rules, then there can be undesired behavior. This limitation is
only applicable if the conflicting ACLs are within the same unit. The restriction is explained below:
– ACL 1: permit tcp destination port 3000; deny all
– ACL 2: drop ip source 10.1.1.1; permit all
– ACL 1 is applied on port 1 and ACL 2 is applied on port 2. Due to this limitation, all the packets
egressing port 2 with Source IP 10.1.1.1 and tcp source port 3000 will be permitted even though
they should be dropped.
MAC ACLs
MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet:
• Source MAC address
•Source MAC mask
• Destination MAC address
•Destination MAC mask
• VLAN ID
• Class of Service (CoS) (802.1p)
•Ethertype
L2 ACLs can apply to one or more interfaces.
Multiple access lists can be applied to a single interface; sequence number determines the order of
execution.
You can assign packets to queues using the assign queue option.