Administrator Guide
638 Access Control Lists
Please note the following additional limitations on ingress and egress ACLs:
• Port ranges are not supported for egress ACLs for either IPv4 or IPv6 ACLs.
• It is possible to configure mirror or redirect attributes for a given ACL rule,
but not both.
•The
Dell Networking N-Series switches
support a limited number of
counter resources, so it may not be possible to log every ACL rule. It is
possible to define an ACL with any number of logging rules, but the rules
that are actually logged cannot be determined until the ACL is configured
in the interface hardware. Furthermore, hardware counters that become
available after an ACL is applied are not retroactively assigned to rules that
were unable to be logged (the ACL must be disassociated from the
interface and then re-associated). Rules that are unable to be logged are
still active in the ACL for purposes of permitting or denying a matching
packet. If console logging is enabled and the severity is set to a numerically
equal or lower severity than the console severity setting, a log entry may
appear on the screen.
• The order of the rules is important: when a packet matches multiple rules,
the first rule takes precedence. Once a packet has matched a rule, the
corresponding action is taken and no further attempts to match the packet
are made. Also, once an access group is configured on an interface, all
traffic not specifically permitted by an ACL is dropped by the implicit
deny all the system supplies at the end of the last configured access group.
• Egress (out) ACLs only affect switched/routed traffic. They have no effect
on packets generated locally by the switch, e.g., LACPDUs or spanning
tree BPDUs.
• Ingress ACLs filter packets before they are processed by the switching
fabric. Egress ACLs filter packets after they have been processed by the
switching fabric.
• User-defined ingress ACLs are prioritized before system ACLs. User-
defined ingress ACLs that match control plane packets such as BPDUs
may interfere with switch operation.
•The
fragments
and
routing
keywords are not supported for egress IPv6
ACLs. The
fragments
keyword is not supported on IPv4 egress ACLs.
• On the Dell Networking N4000 Series switches, the IPv6 ACL
routing
keyword is not supported when any IPv6 address is specified. The
routing
keyword is not support for IPv4 ACLs.