Why does the ACL rule not take effect on the broadcast and unknown unicast in the outbound direction of the port?
The configuration of the ACL rule on the upstream ports or in the slots of the board functions in the inbound direction of the ports. In the outbound direction of the ports, however, the ACL rule does not take effect on the broadcast and unknown unicast.
MA5600T(config-acl-link-4000)# rule 1 deny source 1234-5678-1234 ffff-ffff-ffff //for a certain
MA5600T(config)#packet-filter outbound link-group 4000 rule 1 port 0/5/0
Here, although the ACL4000 rule is applied in the outbound direction of port 0/5/0, the command of applying the ACL4000 rule is also issued to all the inbound ports. The only difference is that the fields used for identifying the packets are added to the outbound port 0/5/0. That is, the inbound ports identify the packets based on both the rules defined by ACL4000 rule 1 and the ID of the outbound port to which the ACL4000 rule 1 is issued. Therefore, the packet-filter command can be executed on the packets that accord with these two conditions. However, in the broadcast and the unknown unicast, only the former condition is matched, so the ACL rule does not take effect on the broadcast and unknown unicast in the outbound direction of the port. The reason is as follows: Even if the ACL rule is issued to the outbound port and all the inbound ports, the LAN switch does not know from which outbound port the packets are transmitted because no hardware can forward the broadcast and unknown unicast packets, which results in the failure of the packet-filter command.
For the broadcast and the unknown unicast, the ACL rule should be issued to the inbound direction of the port.