Overview - Dell PowerConnect M6220 Configuration Manual

Configuration guide

Hide thumbs Also See for PowerConnect M6220:

User configuration manual (1294 pages)

Getting started manual (182 pages)

Configuration manual (1246 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

page of 126

/ 126
Contents
Table of Contents
Bookmarks

Table of Contents

Overview

Access Control Lists (ACLs) are a collection of permit and deny conditions, called rules, that provide

security by blocking unauthorized users and allowing authorized users to access specific resources.

ACLs can also provide traffic flow control, restrict contents of routing updates, and decide which types of

traffic are forwarded or blocked. Normally ACLs reside in a firewall router or in a router connecting two

internal networks.

The PowerConnect 6200 Series switch supports ACL configuration in both the ingress and egress

direction. Egress ACLs provide the capability to implement security rules on the egress flows rather than

the ingress flows. Ingress and egress ACLs can be applied to any physical port (including 10G), or port-

channel, or VLAN routing port.

Ingress ACLs support Flow-based Mirroring and ACL Logging, which have the following characteristics:

•

Flow-based mirroring is the ability to mirror traffic that matches a permit rule to a specific physical

port or LAG. Flow-based mirroring is similar to the redirect function, except that in flow-based

mirroring a copy of the permitted traffic is delivered to the mirror interface while the packet itself is

forwarded normally through the device. You cannot configure a given ACL rule with mirror and

redirect attributes.

•

ACL Logging provides a means for counting the number of "hits" against an ACL rule. When you

configure ACL Logging, you augment the ACL deny rule specification with a "log" parameter that

enables hardware hit count collection and reporting. The switch uses a fixed five minute logging

interval, at which time trap log entries are written for each ACL logging rule that accumulated a non-

zero hit count during that interval. You cannot configure the logging interval.

Using ACLs to mirror traffic is called flow-based mirroring since the traffic flow is defined by the ACL

classification rules. This is in contrast to port mirroring, where all traffic encountered on a specific

interface is replicated on another interface.

You can set up ACLs to control traffic at Layer 2, Layer 3, or Layer 4. MAC ACLs operate on Layer 2. IP

ACLs operate on Layers 3 and 4.

Limitations

The following limitations apply to ingress and egress ACLs.

•

Maximum of 100 ACLs.

•

Maximum rules per ACL is 12.

•

You can configure mirror or redirect attributes for a given ACL rule, but not both.

•

Only one ACL per interface.

•

The PowerConnect 6200 Series switch does not support MAC ACLs and IP ACLs on the same

interface.

•

The PowerConnect 6200 Series switch supports a limited number of counter resources, so it may not

be possible to log every ACL rule. You can define an ACL with any number of logging rules, but the

number of rules that are actually logged cannot be determined until the ACL is applied to an interface.

Device Security

Table of Contents

Show Quick Links

Quick Links:
System Configuration

Hide quick links:

Table of Contents

Overview - Dell PowerConnect M6220 Configuration Manual

Overview

Hide quick links:

Related Manuals for Dell PowerConnect M6220

Related Content for Dell PowerConnect M6220

Table of Contents