Disabling Or Re-Enabling Access Control Lists (Acls); Default Acl Action; Types Of Ip Acls - Dell PowerConnect B-RX Configuration Manual

21

Disabling or re-enabling Access Control Lists (ACLs)

RX-BI-16XG (16 x 10GE ) Module EGRESS ACL Configuration Guidelines
Disabling or re-enabling Access Control Lists (ACLs)
The ACL feature is always enabled on BigIron RX; it cannot be disabled.

Default ACL action

The default action when no ACLs are configured on a BigIron RX is to permit all traffic. However,
once you configure an ACL and apply it to a port, the default action for that port is to deny all traffic
that is not explicitly permitted on the port.
•
•
NOTE
Do not apply an empty ACL (an ACL ID without any corresponding entries) to an interface. If you
accidentally do this, the software applies the default ACL action, deny all, to the interface and thus
denies all traffic.

Types of IP ACLs

IP ACLs can be configured as standard, extended, or super. A standard ACL permits or denies
packets based on a source IP address. An extended ACL permits or denies packets based on
source and destination IP addresses and also based on IP protocol information. Super ACLs can
match on any field in a packet header from Layer 2 to Layer 4. Super ACLs support all options
currently supported in ACL and MAC ACL, including QoS marking.
524
•
The RX-BI-16XG 16 x 10GE module only supports standard, extended, named, and
numbered ACLs for outbound access-group applications ACLs.
•
Egress filtering on subset ports of a VE is not supported, matching must apply to all VE
ports .
•
Matching the SPI field value is not supported for egress acl.
•
Matching field of fragment or fragmentation-offset is not supported.
•
A matching egress acl only compares to 3 bits of TOS field (delay, throughput, reliability)
•
ACLs that specify spi, .tos min monrtary cost, fragment or fragmentation-offset will cause
a configuration conflict and an error message "ACL configuration conflict specified filter
not supported" is entered in syslog.
•
802.1p-priority is not supported as a matching egress acl condition.
•
dscp-marking is not available as a condition matching egress acl action.
•
deny-logging is not supported for egress ACLs.
To control access more tightly, configure ACLs consisting of permit entries for the access you
want to permit. The ACLs implicitly deny all other access.
To secure access in environments with many users, you can configure ACLs that consist of
explicit deny entries, then add an entry to permit all access to the end of each ACL. The
software permits packets that are not denied by the deny entries.
BigIron RX Series Configuration Guide
53-1002253-01