Dell PowerConnect 6248 Configuration Guide - Page 113

MAC ACLs, Egress ACLs support IP Protocol/Destination, IP Address Source/Destination

Page 113 highlights

Egress ACL Limitations Egress ACLs have some additional limitations. The following limitations apply to egress ACLs only: • Egress ACLs support IP Protocol/Destination, IP Address Source/Destination, L4 Source/Destination port, IP DSCP, IP ToS, and IP precedence match conditions only. • MAC ACLs are not supported in the egress direction. • Egress ACLs only support Permit/Deny Action. Logging, mirroring and redirect action are not supported. • Only one Egress ACL can be applied on an interface. The ACL can have multiple rules to classify flows and apply permit/deny action. • If the Egress ACLs have "over-lapping" rules, then there can be undesired behavior. This limitation is only applicable if the conflicting ACLs are within the same unit. The restriction is explained below: - ACL 1: permit tcp destination port 3000; deny all - ACL 2: drop ip source 10.1.1.1; permit all - ACL 1 is applied on port 1 and ACL 2 is applied on port 2. Due to this limitation, all the packets egressing port 2 with Source IP 10.1.1.1 and tcp source port 3000 will be permitted even though they should be dropped. MAC ACLs MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet: • Source MAC address • Source MAC mask • Destination MAC address • Destination MAC mask • VLAN ID • Class of Service (CoS) (802.1p) • Ethertype L2 ACLs can apply to one or more interfaces. Multiple access lists can be applied to a single interface; sequence number determines the order of execution. You can assign packets to queues using the assign queue option. Device Security 113

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176

Device Security
113
Egress ACL Limitations
Egress ACLs have some additional limitations. The following limitations apply to egress ACLs only:
Egress ACLs support IP Protocol/Destination, IP Address Source/Destination, L4 Source/Destination
port, IP DSCP, IP ToS, and IP precedence match conditions only.
MAC ACLs are not supported in the egress direction.
Egress ACLs only support Permit/Deny Action. Logging, mirroring and redirect action are not
supported.
Only one Egress ACL can be applied on an interface. The ACL can have multiple rules to classify flows
and apply permit/deny action.
If the Egress ACLs have "over-lapping" rules, then there can be undesired behavior. This limitation is
only applicable if the conflicting ACLs are within the same unit. The restriction is explained below:
ACL 1: permit tcp destination port 3000; deny all
ACL 2: drop ip source 10.1.1.1; permit all
ACL 1 is applied on port 1 and ACL 2 is applied on port 2. Due to this limitation, all the packets
egressing port 2 with Source IP 10.1.1.1 and tcp source port 3000 will be permitted even though
they should be dropped.
MAC ACLs
MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet:
Source MAC address
Source MAC mask
Destination MAC address
Destination MAC mask
VLAN ID
Class of Service (CoS) (802.1p)
Ethertype
L2 ACLs can apply to one or more interfaces.
Multiple access lists can be applied to a single interface; sequence number determines the order of
execution.
You can assign packets to queues using the assign queue option.