Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4248FB-ON /S4248FBL-ON

1461

Configuration notes

Dell EMC PowerSwitch S4200-ON Series:

● You can create either Layer 2 ACL or Layer 3 ACL. You cannot create both the tables at a time.

● In egress L3 IPv4 ACL, the fragment, TCP flags, and DSCP fields are not supported.

● IPv6 user ACL table is not supported.

● In egress ACLs, L2 user table is utilized only for switched packets and L3 user table is utilized only for routed packets.

● In L2 user ACL, Ether type is not supported.

VTY ACLs

To limit Telnet and SSH connections to the switch, apply access lists on a virtual terminal line (VTY). See Virtual terminal line

ACLs for more information.

For VTY ACLs, there is no implicit deny rule. If none of the configured conditions match, the default behavior is to permit. If you

need to deny traffic that does not match any of the configured conditions, explicitly configure a deny statement.

SNMP ACLs

To filer SNMP requests on the switch, assign access lists to an SNMP community. Both IPv4 and IPv6 access lists are

supported to restrict IP source addresses. See Restrict SNMP access for more information.

NOTE: SNMP ACL works only when the SNMP server is reachable through the default VRF.

Clear access-list counters

Clear IPv4, IPv6, or MAC access-list counters for a specific access-list or all lists. The counter counts the number of packets

that match each permit or deny statement in an access-list. To get a more recent count of packets matching an access-list,

clear the counters to start at zero. If you do not configure an access-list name, all IP access-list counters clear.

To view access-list information, use the show access-lists command.

● Clear IPv4 access-list counters in EXEC mode.

clear ip access-list counters access-list-name

● Clear IPv6 access-list counters in EXEC mode.

clear ipv6 access-list counters access-list-name

● Clear MAC access-list counters in EXEC mode.

clear mac access-list counters access-list-name

IP prefix-lists

IP prefix-lists control the routing policy. An IP prefix-list is a series of sequential filters that contain a matching criterion and an

permit or deny action to process routes. The filters process in sequence so that if a route prefix does not match the criterion in

the first filter, the second filter applies, and so on.

A route prefix is an IP address pattern that matches on bits within the IP address. The format of a route prefix is A.B.C.D/x,

where A.B.C.D is a dotted-decimal address and /x is the number of bits that match the dotted decimal address.

When the route prefix matches a filter, the system drops or forwards the packet based on the filter’s designated action. If the

route prefix does not match any of the filters in the prefix-list, the route drops, an implicit deny.

For example, in 112.24.0.0/16, the first 16 bits of the address 112.24.0.0 match all addresses between 112.24.0.0 to

112.24.255.255. Use permit or deny filters for specific routes with the le (less or equal) and ge (greater or equal)

parameters, where x.x.x.x/x represents a route prefix:

Access Control Lists

1467