Acl Troubleshooting - Planet XGS3-42000R User Manual

interface name:Ethernet1/10
IP v6 Ingress access-list used is 600, traffic-statistics Disable.
Scenario 5:
The configuration requirement is stated as below: The interface 1, 2, 5, 7 belongs to vlan100, Hosts with
192.168.0.1 as its IP address should be disabled from accessing the listed interfaces.
Configuration description:
1． Create the corresponding access list.
2． Configure datagram filtering.
3． Bind the ACL to the relat ed interface.
The configuration steps are listed as below.
XGS 3-42000R(config)#firewall enable
XGS 3-42000R(config)#vlan 100
XGS 3-42000R(Config-Vlan100)#switchport interface ethernet 1/1;2;5;7
XGS 3-42000R(Config-Vlan100)#exit
XGS 3-42000R(config)#access-list 1 deny host-source 192.168.0.1
XGS 3-42000R(config)#interface vlan 100
XGS 3-42000R(Config-if-Vlan100)#ip access-group 1 in
XGS 3-42000R(Config-if-Vlan100)#exit
Configuration result:
XGS 3-42000R(config)#show access-group interface vlan 100
Interface VLAN 100:
Ethernet1/1: IP Ingress access-list used is 1, traffic-statistics Disable.
Ethernet1/2: IP Ingress access-list used is 1, traffic-statistics Disable.
Ethernet1/5: IP Ingress access-list used is 1, traffic-statistics Disable.
Ethernet1/7: IP Ingress access-list used is 1, traffic-statistics Disable.

46.4 ACL Troubleshooting


Checking for ent ries in the ACL is done in a top-down order and ends whenever an entry is matched.

Default rule will be used only if no ACL is bound to the incoming direction of the port, or no ACL entry is
matched.

Each ingress port can bind one MAC-IP ACL, one IP ACL, one MAC A CL, one IP v6 A CL (via the
physical interface mode or Vlan interface mode).

When binding four ACL and packet matching several A CL at the same time, the priority relations are as
follows in a top-down order. If the priority is same, then the priority of configuration at first is higher.
 Ingress IP v6 A CL
 Ingress MAC-IP ACL
 Ingress IP ACL
 Ingress MAC A CL
46-20