4 acl troubleshooting, Roubleshooting – PLANET WGSW-50040 User Manual

24-22

Ethernet1/1: IP Ingress access-list used is 1, traffic-statistics Disable.

Ethernet1/2: IP Ingress access-list used is 1, traffic-statistics Disable.

Ethernet1/5: IP Ingress access-list used is 1, traffic-statistics Disable.

Ethernet1/7: IP Ingress access-list used is 1, traffic-statistics Disable.

24.4 ACL Troubleshooting



Checking for entries in the ACL is done in a top-down order and ends whenever an entry is matched.



Default rule will be used only if no ACL is bound to the incoming direction of the port, or no ACL entry is

matched.



Each ingress port can bind one MAC-IP ACL, one IP ACL, one MAC ACL, one IPv6 ACL (via the

physical interface mode or Vlan interface mode).



When binding four ACL and packet matching several ACL at the same time, the priority relations are as

follows in a top-down order. If the priority is same, then the priority of configuration at first is higher.

 Ingress IPv6 ACL
 Ingress MAC-IP ACL
 Ingress IP ACL
 Ingress MAC ACL



The number of ACLs that can be successfully bound depends on the content of the ACL bound and the

hardware resource limit. Users will be prompted if an ACL cannot be bound due to hardware resource

limitation.



If an access-list contains same filtering information but conflicting action rules, binding to the port will

fail with an error message. For instance, configuring “permit tcp any any-destination” and “deny tcp any

any-destination” at the same time is not permitted.



Viruses such as “worm.blaster” can be blocked by configuring ACL to block specific ICMP packets or

specific TCP or UDP port packet.



If the physical mode of an interface is TRUNK, ACL can only be configured through physical interface

mode.



ACL configured in the physical mode can only be disabled in the physical mode. Those configured in

the VLAN interface configuration mode can only be disabled in the VLAN interface mode.



When a physical interface is added into or removed from a VLAN (with the trunk interfaces as

exceptions), ACL configured in the corresponding VLAN will be bound or unbound respectively. If ACL

configured in the target VLAN, which is configured in VLAN interface mode, conflicts with existing ACL

configuration on the interface, which is configured in physical interface mode, the configuration will fail

to effect.



When no physical interfaces are configured in the VLAN, the ACL configuration of the VLAN will be

removed. And it can not recover if new interfaces are added to the VLAN.



When the interface mode is changed from access mode to trunk mode, the ACL configured in VLAN

interface mode which is bound to physical interface will be removed. And when the interface mode is

changed from trunk mode to access mode, ACL configured in VLAN1 interface mode will be bound to

the physical interface. If binding fails, the changing will fail either.



When removing a VLAN configuration, if there are any ACLs bound to the VLAN, the ACL will be