Furthermore, hardware counters that become available after an ACL is applied are not retroactively
assigned to rules that were unable to be logged (the ACL must be un-applied then re-applied). Rules
that are unable to be logged are still active in the ACL for purposes of permitting or denying a
matching packet.
•
The order of the rules is important: when a packet matches multiple rules, the first rule takes
precedence. Also, once you define an ACL for a given port, all traffic not specifically permitted by the
ACL is denied access.
NOTE:
Although the maximum number of ACLs is 100, and the maximum number of rules per ACL is 12, the system
cannot support 100 ACLs that each have 12 rules.
Egress ACL Limitations
Egress ACLs have some additional limitations. The following limitations apply to egress ACLs only:
•
Egress ACLs support IP Protocol/Destination, IP Address Source/Destination, L4 Source/Destination
port, IP DSCP, IP ToS, and IP precedence match conditions only.
•
MAC ACLs are not supported in the egress direction.
•
Egress ACLs only support Permit/Deny Action. Logging, mirroring and redirect action are not
supported.
•
Only one Egress ACL can be applied on an interface. The ACL can have multiple rules to classify flows
and apply permit/deny action.
•
If the Egress ACLs have "over-lapping" rules, then there can be undesired behavior. This limitation is
only applicable if the conflicting ACLs are within the same unit. The restriction is explained below:
–
ACL 1: permit tcp destination port 3000; deny all
–
ACL 2: drop ip source 10.1.1.1; permit all
–
ACL 1 is applied on port 1 and ACL 2 is applied on port 2. Due to this limitation, all the packets
egressing port 2 with Source IP 10.1.1.1 and tcp source port 3000 will be permitted even though
they should be dropped.
MAC ACLs
MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet:
•
Source MAC address
•
Source MAC mask
•
Destination MAC address
•
Destination MAC mask
•
VLAN ID
•
Class of Service (CoS) (802.1p)
•
Ethertype
92
Device Security