Roubleshooting, 4 acl troubleshooting – QTECH QSW-2800 Инструкция по настройке User Manual

+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1

279

37.4 ACL Troubleshooting

Checking for entries in the ACL is done in a top-down order and ends whenever an entry is

matched.

Default rule will be used only if no ACL is bound to the incoming direction of the port, or no

ACL entry is matched.Each ingress port can bind one MAC-IP ACL, one IP ACL, one MAC

ACL, one IPv6 ACL (via the physical interface mode or Vlan interface mode).

When binding four ACL and packet matching several ACL at the same time, the priority

relations are as follows in a top-down order. If the priority is same, then the priority of

configuration at first is higher.

Ingress IPv6 ACL

Ingress MAC-IP ACL

Ingress IP ACL

Ingress MAC ACL

The number of ACLs that can be successfully bound depends on the content of the ACL bound

and the hardware resource limit. Users will be prompted if an ACL cannot be bound due to

hardware resource limitation.

If an access-list contains same filtering information but conflicting action rules, binding to the
port will fail with an error message. For instance, configuring “permit tcp any any-destination”
and “deny tcp any any-destination” at the same time is not permitted.
Viruses such as “worm.blaster” can be blocked by configuring ACL to block specific ICMP

packets or specific TCP or UDP port packet.

If the physical mode of an interface is TRUNK, ACL can only be configured through physical

interface mode.

ACL configured in the physical mode can only be disabled in the physical mode. Those

configured in the VLAN interface configuration mode can only be disabled in the VLAN

interface mode.

When a physical interface is added into or removed from a VLAN (with the trunk interfaces as

exceptions), ACL configured in the corresponding VLAN will be bound or unbound respectively.

If ACL configured in the target VLAN, which is configured in VLAN interface mode, conflicts

with existing ACL configuration on the interface, which is configured in physical interface

mode, the configuration will fail to effect.

When no physical interfaces are configured in the VLAN, the ACL configuration of the VLAN

will be removed. And it can not recover if new interfaces are added to the VLAN.

When the interface mode is changed from access mode to trunk mode, the ACL configured in

VLAN interface mode which is bound to physical interface will be removed. And when the

interface mode is changed from trunk mode to access mode, ACL configured in VLAN1

interface mode will be bound to the physical interface. If binding fails, the changing will fail

either.