4 acl troubleshooting, Roubleshooting – PLANET XGS3-24042 User Manual
Page 513
51-22
IPv6 Ingress access-list used is 600, traffic-statistics Disable.
Scenario 5:
The configuration requirement is stated as below: The interface 1, 2, 5, 7 belongs to vlan100, Hosts with
192.168.0.1 as its IP address should be disabled from accessing the listed interfaces.
Configuration description:
1. Create the corresponding access list.
2. Configure datagram filtering.
3. Bind the ACL to the related interface.
The configuration steps are listed as below.
Switch (config)#firewall enable
Switch (config)#vlan 100
Switch (Config-Vlan100)#switchport interface ethernet 1/0/1;2;5;7
Switch (Config-Vlan100)#exit
Switch (config)#access-list 1 deny host-source 192.168.0.1
Switch (config)#interface ethernet1/0/1;2;5;7
Switch (config-if-port-range)#ip access-group 1 in
Switch (Config-if-Vlan100)#exit
Configuration result:
Switch (config)#show access-group interface vlan 100
Interface VLAN 100:
Ethernet1/0/1: IP Ingress access-list used is 1, traffic-statistics Disable.
Ethernet1/0/2: IP Ingress access-list used is 1, traffic-statistics Disable.
Ethernet1/0/5: IP Ingress access-list used is 1, traffic-statistics Disable.
Ethernet1/0/7: IP Ingress access-list used is 1, traffic-statistics Disable.
51.4 ACL Troubleshooting
Checking for entries in the ACL is done in a top-down order and ends whenever an entry is matched.
Each ingress port can bind one MAC-IP ACL, one IP ACL, one MAC ACL, one IPv6 ACL (via the
physical interface mode or Vlan interface mode).
When binding four ACL and packet matching several ACL at the same time, the priority relations are as
follows in a top-down order. If the priority is same, then the priority of configuration at first is higher.
Ingress IPv6 ACL
Ingress MAC-IP ACL
Ingress IP ACL
Ingress MAC ACL
The number of ACLs that can be successfully bound depends on the content of the ACL bound and the
hardware resource limit. Users will be prompted if an ACL cannot be bound due to hardware resource
limitation.