4 acl troubleshooting, Roubleshooting – QTECH QSW-3400 Инструкция по настройке User Manual

+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1

317

Switch (config)#show access-group interface vlan 100
Interface VLAN 100:
Ethernet1/1: IP Ingress access-list used is 1, traffic-statistics
Disable.
Ethernet1/2: IP Ingress access-list used is 1, traffic-statistics
Disable.
Ethernet1/5: IP Ingress access-list used is 1, traffic-statistics
Disable.
Ethernet1/7: IP Ingress access-list used is 1, traffic-statistics
Disable.

39.4 ACL Troubleshooting



Checking for entries in the ACL is done in a top-down order and ends whenever an

entry is matched.



Default rule will be used only if no ACL is bound to the incoming direction of the port, or

no ACL entry is matched.Each ingress port can bind one MAC-IP ACL, one IP ACL,

one MAC ACL, one IPv6 ACL (via the physical interface mode or Vlan interface mode).



When binding four ACL and packet matching several ACL at the same time, the priority

relations are as follows in a top-down order. If the priority is same, then the priority of

configuration at first is higher.



Ingress IPv6 ACL



Ingress MAC-IP ACL



Ingress IP ACL



Ingress MAC ACL



The number of ACLs that can be successfully bound depends on the content of the

ACL bound and the hardware resource limit. Users will be prompted if an ACL cannot

be bound due to hardware resource limitation.



If an access-list contains same filtering information but conflicting action rules, binding

to the port will fail with an error message. For instance, configur

ing “permit tcp any any-

destination” and “deny tcp any any-destination” at the same time is not permitted.



Viruses such as “worm.blaster” can be blocked by configuring ACL to block specific

ICMP packets or specific TCP or UDP port packet.



If the physical mode of an interface is TRUNK, ACL can only be configured through

physical interface mode.