112 Device Security
Ingress ACLs support Flow-based Mirroring and ACL Logging, which have the following characteristics:
• Flow-based mirroring is the ability to mirror traffic that matches a permit rule to a specific physical
port or LAG. Flow-based mirroring is similar to the redirect function, except that in flow-based
mirroring a copy of the permitted traffic is delivered to the mirror interface while the packet itself is
forwarded normally through the device. You cannot configure a given ACL rule with mirror and
redirect attributes.
• ACL Logging provides a means for counting the number of “hits” against an ACL rule. When you
configure ACL Logging, you augment the ACL deny rule specification with a "log" parameter that
enables hardware hit count collection and reporting. The switch uses a fixed five minute logging
interval, at which time trap log entries are written for each ACL logging rule that accumulated a non-
zero hit count during that interval. You cannot configure the logging interval.
Using ACLs to mirror traffic is called flow-based mirroring since the traffic flow is defined by the ACL
classification rules. This is in contrast to port mirroring, where all traffic encountered on a specific
interface is replicated on another interface.
You can set up ACLs to control traffic at Layer 2, Layer 3, or Layer 4. MAC ACLs operate on Layer 2. IP
ACLs operate on Layers 3 and 4.
Limitations
The following limitations apply to ingress and egress ACLs.
• Maximum of 100 ACLs.
• Maximum rules per ACL is 127.
• You can configure mirror or redirect attributes for a given ACL rule, but not both.
• The PowerConnect 6200 Series switch supports a limited number of counter resources, so it may not
be possible to log every ACL rule. You can define an ACL with any number of logging rules, but the
number of rules that are actually logged cannot be determined until the ACL is applied to an interface.
Furthermore, hardware counters that become available after an ACL is applied are not retroactively
assigned to rules that were unable to be logged (the ACL must be un-applied then re-applied). Rules
that are unable to be logged are still active in the ACL for purposes of permitting or denying a
matching packet.
• The order of the rules is important: when a packet matches multiple rules, the first rule takes
precedence. Also, once you define an ACL for a given port, all traffic not specifically permitted by the
ACL is denied access.
NOTE: Although the maximum number of ACLs is 100, and the maximum number of rules per ACL is 127, the system
cannot support 100 ACLs that each have 127 rules.