Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N2100 Series
681682683684685686687688689690
690 Access Control Lists
Depending on whether an ingress or egress ACL is applied to a port, when the
traffic enters (ingress) or leaves (egress) a port, the ACL compares the criteria
configured in its rules, in list order, to the fields in a packet or frame to check
for matching conditions. The ACL processes the traffic based on the actions
contained in the rules.
ACLs are organized into access groups. Access groups are numbered in
priority (lowest number has highest priority). Multiple access groups can be
configured on an interface, in which the lowest numbered access group is
processed first, followed by the next lowest numbered access group, etc.
Within an access group, ACL rules are processed in sequence, from the first
(lowest numbered) rule to the last (highest numbered) rule in the access
group. If a matching rule is found, the rule action is taken and no subsequent
rules are processed for that packet. Frequently matched rules should be
placed near or at the front of the list. At least one access list within the access
groups configured on an interface must contain at least one permit rule or all
traffic is denied (dropped). ACL entries may be numbered by the
administrator when configured or automatically numbered by the system.
Additionally, remarks may be entered for an ACL entry.
Packets generated by the switch are sent regardless of any egress ACL deny
rules.
NOTE: Conceptually, ACL processing proceeds by attempting to match each of
the ACLs listed in the first match term or clause in the first access group in order.
If an ACL does not match, processing moves to the next ACL in order until an ACL
matches or the ACL group is exhausted. If there are more access groups
configured, processing proceeds with the next access group.
In reality, all interface ACL matches are attempted in parallel at once, and the
priority of the ACL is used to determine the action. Then, all VLAN ACL matches
are attempted in parallel at once, and the priority of the ACL is used to determine
the action. This implies that a packet that matches both a physical interface ACL
and a VLAN ACL will always take the physical interface action.
NOTE: The last access group configured on an interface is terminated by an
implicit deny all rule, which drops any packet not matching a preceding permit
rule. The implicit deny all rule is not configured if Policy-Based Routing is
configured on the interface.