4 acl troubleshooting, Roubleshooting – PLANET WGSW-52040 User Manual

41.4 ACL Troubleshooting



Checking for entries in the ACL is done in a top-down order and ends whenever an entry

is matched.



Default rule will be used only if no ACL is bound to the incoming direction of the port, or

no ACL entry is matched.Each ingress port can bind one MAC-IP ACL, one IP ACL, one

MAC ACL, one IPv6 ACL (via the physical interface mode or Vlan interface mode).



When binding four ACL and packet matching several ACL at the same time, the priority

relations are as follows in a top-down order. If the priority is same, then the priority of

configuration at first is higher.



Ingress IPv6

ACL



Ingress MAC-IP

ACL



Ingress IP

ACL



Ingress MAC

ACL



The number of ACLs that can be successfully bound depends on the content of the ACL

bound and the hardware resource limit. Users will be prompted if an ACL cannot be

bound due to hardware resource limitation.



If an access-list contains same filtering information but conflicting action rules, binding to

the port will fail with an error message. For instance, configuring “permit tcp any

any-destination” and “deny tcp any any-destination” at the same time is not permitted.



Viruses such as “worm.blaster” can be blocked by configuring ACL to block specific ICMP

packets or specific TCP or UDP port packet.



If the physical mode of an interface is TRUNK, ACL can only be configured through

physical interface mode.



ACL configured in the physical mode can only be disabled in the physical mode. Those

configured in the VLAN interface configuration mode can only be disabled in the VLAN

interface mode.



When a physical interface is added into or removed from a VLAN (with the trunk

interfaces as exceptions), ACL configured in the corresponding VLAN will be bound or

unbound respectively. If ACL configured in the target VLAN, which is configured in VLAN

interface mode, conflicts with existing ACL configuration on the interface, which is

configured in physical interface mode, the configuration will fail to effect.



When no physical interfaces are configured in the VLAN, the ACL configuration of the

VLAN will be removed. And it can not recover if new interfaces are added to the VLAN.



When the interface mode is changed from access mode to trunk mode, the ACL

configured in VLAN interface mode which is bound to physical interface will be removed.

And when the interface mode is changed from trunk mode to access mode, ACL

configured in VLAN1 interface mode will be bound to the physical interface. If binding

41-133