Administrator Guide
686 Access Control Lists
Please note the following additional limitations on ingress and egress ACLs:
• Port ranges are not supported for egress ACLs for either IPv4 or IPv6 ACLs.
• It is possible to configure mirror or redirect attributes for a given ACL rule,
but not both.
• The
Dell EMC Networking N-Series switches
support a limited number
of counter resources, so it may not be possible to log every ACL rule. It is
possible to define an ACL with any number of logging rules, but the rules
that are actually logged cannot be determined until the ACL is configured
in the interface hardware. Furthermore, hardware counters that become
available after an ACL is applied are not retroactively assigned to rules that
were unable to be logged (the ACL must be disassociated from the
interface and then re-associated). Rules that are unable to be logged are
still active in the ACL for purposes of permitting or denying a matching
packet. If console logging is enabled and the severity is set to a numerically
equal or lower severity than the console severity setting, a log entry may
appear on the screen.
• The order of the rules is important: when a packet matches multiple rules,
the first rule takes precedence. Once a packet has matched a rule, the
corresponding action is taken and no further attempts to match the packet
are made. Also, once an access group is configured on an interface, all
traffic not specifically permitted by an ACL is dropped by the implicit
deny all the system supplies at the end of the last configured access group.
• Egress (out) ACLs only affect switched/routed traffic. They have no effect
on packets generated locally by the switch, e.g., LACPDUs or spanning
tree BPDUs.
Maximum VLAN interfaces
with ACLs applied
24 24 24 24
Maximum ACL Logging
Rules (system-wide)
128 128 128 128
Table 20-2. ACL Software Limits (Continued)
Limitation Dell EMC
Networking
N1500
Series
Dell EMC
Networking
N2000/
N2100-ON
Series
Dell EMC
Networking
N3000/
N3100-ON
Series
Dell EMC
Networking
N4000
Series