Dell FCX624-I Laptop User Manual


  Open as PDF
of 1494
 
PowerConnect B-Series FCX Configuration Guide 551
53-1002266-01
Configuring standard numbered ACLs
16
NOTE
PowerConnect B-Series FCX devices do not support ACLs on Group VEs, even though the CLI
contains commands for this action.
ACLs apply to all traffic, including management traffic.
The number of ACLs supported per device is listed in Table 92.
Hardware-based ACLs support only one ACL per port. The ACL of course can contain multiple
entries (rules). For example, hardware-based ACLs do not support ACLs 101 and 102 on port
1, but hardware-based ACLs do support ACL 101 containing multiple entries.
ACLs are affected by port regions. Each ACL group must contain one entry for the implicit deny
all IP traffic clause. Also, each ACL group uses a multiple of 8 ACL entries. For example, if all
ACL groups contain 5 ACL entries, you could add 127ACL groups (1016/8) in that port region. If
all your ACL groups contain 8 ACL entries, you could add 63 ACL groups, since you must
account for the implicit deny entry.
By default, the first fragment of a fragmented packet received by the Dell PowerConnect device
is permitted or denied using the ACLs, but subsequent fragments of the same packet are
forwarded in hardware. Generally, denying the first fragment of a packet is sufficient, since a
transaction cannot be completed without the entire packet.
ACLs are supported on member ports of a VLAN on which DHCP snooping and Dynamic ARP
Inspection (DAI) are enabled. Also, IP source guard and ACLs are supported together on the
same port, as long as both features are configured at the port-level or per-port-per-VLAN level.
Dell PowerConnect ports do not support IP source guard and ACLs on the same port if one is
configured at the port-level and the other is configured at the per-port-per-VLAN level.
The following ACL features and options are not supported on the PowerConnect devices:
Applying an ACL on a device that has Super Aggregated VLANs (SAVs) enabled.
ACL logging of permitted packets– ACL logging is supported for packets that are sent to the
CPU for processing (denied packets). ACL logging is not supported for packets that are
processed in hardware (permitted packets).
Flow-based ACLs
Layer 2 ACLs
You can apply an ACL to a port that has TCP SYN protection or ICMP smurf protection, or both,
enabled.
Configuring standard numbered ACLs
This section describes how to configure standard numbered ACLs with numeric IDs and provides
configuration examples.
Standard ACLs permit or deny packets based on source IP address. You can configure up to 99
standard numbered ACLs. There is no limit to the number of ACL entries an ACL can contain except
for the system-wide limitation. For the number of ACL entries supported on a device, refer to “ACL
IDs and entries” on page 548.
Standard numbered ACL syntax
Syntax: [no] access-list <ACL-num> deny | permit <source-ip> | <hostname> <wildcard> [log]