4 acl troubleshooting, Roubleshooting – PLANET XGS3-24040 User Manual

Page 459

Advertising
background image

Chapter 46 ACL Configuration

46-21

The configuration steps are listed as below.

Switch (config)#firewall enable

Switch (config)#vlan 100

Switch (Config-Vlan100)#switchport interface ethernet 1/1;2;5;7

Switch (Config-Vlan100)#exit

Switch (config)#access-list 1 deny host-source 192.168.0.1

Switch (config)#interface vlan 100

Switch (Config-if-Vlan100)#ip access-group 1 in

Switch (Config-if-Vlan100)#exit

Configuration result:

Switch (config)#show access-group interface vlan 100

Interface VLAN 100:

Ethernet1/1: IP Ingress access-list used is 1, traffic-statistics Disable.

Ethernet1/2: IP Ingress access-list used is 1, traffic-statistics Disable.

Ethernet1/5: IP Ingress access-list used is 1, traffic-statistics Disable.

Ethernet1/7: IP Ingress access-list used is 1, traffic-statistics Disable.

46.4 ACL Troubleshooting

Checking for entries in the ACL is done in a top-down order and ends whenever an entry is matched.

Default rule will be used only if no ACL is bound to the incoming direction of the port, or no ACL entry is

matched.

Each ingress port can bind one MAC-IP ACL, one IP ACL, one MAC ACL, one IPv6 ACL (via the

physical interface mode or Vlan interface mode).

When binding four ACL and packet matching several ACL at the same time, the priority relations are as

follows in a top-down order. If the priority is same, then the priority of configuration at first is higher.

 Ingress IPv6 ACL
 Ingress MAC-IP ACL
 Ingress IP ACL
 Ingress MAC ACL

The number of ACLs that can be successfully bound depends on the content of the ACL bound and the

hardware resource limit. Users will be prompted if an ACL cannot be bound due to hardware resource

limitation.

If an access-list contains same filtering information but conflicting action rules, binding to the port will

fail with an error message. For instance, configuring “permit tcp any any-destination” and “deny tcp any

any-destination” at the same time is not permitted.

Viruses such as “worm.blaster” can be blocked by configuring ACL to block specific ICMP packets or

specific TCP or UDP port packet.

If the physical mode of an interface is TRUNK, ACL can only be configured through physical interface

mode.

ACL configured in the physical mode can only be disabled in the physical mode. Those configured in

Advertising
Popular Brands
Popular manuals