When you apply the ip access-group interface configuration command to a Layer 3 interface (an SVI, a Layer 3 EtherChannel, or a routed port), the interface
must have been configured with an IP address. Layer 3 access groups filter packets that are routed or are received by Layer
3 processes on the CPU. They do not affect packets bridged within a VLAN.
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL permits the packet, the
switch continues to process the packet. If the ACL rejects the packet, the switch discards the packet.
For outbound ACLs, after receiving and routing a packet to a controlled interface, the switch checks the packet against the
ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects the packet, the switch discards the packet.
By default, the input interface sends ICMP Unreachable messages whenever a packet is discarded, regardless of whether the
packet was discarded because of an ACL on the input interface or because of an ACL on the output interface. ICMP Unreachables
are normally limited to no more than one every one-half second per input interface, but this can be changed by using the ip icmp rate-limit unreachable global configuration command.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits
all packets. Remember this behavior if you use undefined ACLs for network security.