Filter
Top Products
C
ONFIGURING
THE
S
WITCH
3-60
Access Control Lists
Access Control Lists (ACL) provide packet filtering for IP frames (based
on address, protocol, Layer 4 protocol port number or TCP control code)
or any frames (based on MAC address or Ethernet type). To filter
incoming packets, first create an access list, add the required rules, specify
a mask to modify the precedence in which the rules are checked, and then
bind the list to a specific port.
Configuring Access Control Lists
An ACL is a sequential list of permit or deny conditions that apply to IP
addresses, MAC addresses, or other more specific criteria. This switch tests
ingress or egress packets against the conditions in an ACL one by one. A
packet will be accepted as soon as it matches a permit rule, or dropped as
soon as it matches a deny rule. If no rules match for a list of all permit
rules, the packet is dropped; and if no rules match for a list of all deny
rules, the packet is accepted.
Command Usage
The following restrictions apply to ACLs:
• Each ACL can have up to 32 rules.
• The maximum number of ACLs is also 32.
• However, due to resource restrictions, the average number of rules
bound to the ports should not exceed 20.
• You must configure a mask for an ACL rule before you can bind it to
a port or set the queue or frame priorities associated with the rule.
• When an ACL is bound to an interface as an egress filter, all entries in
the ACL must be deny rules. Otherwise, the bind operation will fail.
• The switch does not support the explicit “deny any any” rule for the
egress IP ACL or the egress MAC ACLs. If these rules are included in
ACL, and you attempt to bind the ACL to an interface for egress
checking, the bind operation will fail.