ACL Binding (VLAN)

When an ACL is bound to an interface, its ACE rules are applied to packets arriving at that interface. Packets that do not match any of the ACEs in the ACL are matched to a default rule, whose action is to drop unmatched packets. Although each interface can be bound to only one ACL, multiple interfaces can be bound to the same ACL by grouping them into a policy-map, and binding that policy-map to the interface. After an ACL is bound to an interface, it cannot be edited, modified, or deleted until it is removed from all the ports to which it is bound or in use.

Note	It is possible to bind an interface (port, LAG or VLAN) to a policy or to an ACL, but they cannot be bound to both a policy and an ACL. In the same class map, a MAC ACL cannot be used with an IPv6 ACE that has a Destination IPv6 address as a filtering condition.

To bind an ACL to a VLAN, follow these steps:

Procedure

Step 1

Click Access Control > ACL Binding (VLAN).

Step 2

To edit a VLAN, select a VLAN and click Edit.

If the VLAN you require is not displayed, add a new one by clicking Add. and continue to the next step.

Step 3

Select one of the following:

MAC-Based ACL

Select a MAC-based ACL to be bound to the interface.

IPv4-Based ACL

Select an IPv4-based ACL to be bound to the interface.

IPv6-Based ACL

Select an IPv6-based ACL to be bound to the interface.

Default Action

Select one of the following options:

Deny Any—If packet doesn’t match an ACL, it’s denied (dropped).
Permit Any—If packet doesn’t match an ACL, it’s permitted (forwarded).

Note	Default Action can be defined only if IP Source Guard isn’t activated on the interface.

Step 4

To copy an existing VLAN, click Copy (copy icon). If you wish to delete a VLAN from the Binding Table, click Delete.

Step 5

Click Apply. The ACL binding is modified, and the Running Configuration file is updated.