Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N3000 Series
681682683684685686687688689690
Access Control Lists 681
The order of the rules is important: when a packet matches multiple rules,
the first rule takes precedence. Once a packet has matched a rule, the
corresponding action is taken and no further attempts to match the packet
are made. Also, once an access group is configured on an interface, all
traffic not specifically permitted by an ACL is dropped by the implicit
deny all the system supplies at the end of the last configured access group.
Egress (out) ACLs only affect switched/routed traffic. They have no effect
on packets generated locally by the switch, e.g., LACPDUs or spanning
tree BPDUs.
Ingress ACLs filter packets before they are processed by the switching
fabric. Egress ACLs filter packets after they have been processed by the
switching fabric.
User-defined ingress ACLs are prioritized before system ACLs. User-
defined ingress ACLs that match control plane packets such as BPDUs
may interfere with switch operation.
The fragments and routing keywords are not supported for egress IPv6
ACLs. The fragments keyword is not supported on IPv4 egress ACLs.
On the Dell EMC Networking N2000 and N3000E-ON Series switches,
the IPv6 ACL fragment keyword matches only on the first IPv6 extension
header (next header code 44). If the fragment header appears in the
second or subsequent header, it is not matched.
The IPv6 ACL routing keyword matches only on the first IPv6 extension
header (next header code 43). If the fragment header appears in the
second or subsequent header, it is not matched.
NOTE: The actual number of ACLs and rules supported depends on the
resources consumed by other processes and configured features running on the
switch. If the switch does not allow a rule to be configured, consider disabling
features that consume user ACL space such as iSCSI, CFM, or IPv6 RA Guard.