DELL N3000 User Manual
584
Configuring Access Control Lists
Depending on whether an ingress or egress ACL is applied to a port, when the
traffic enters (ingress) or leaves (egress) a port, the ACL compares the criteria
configured in its rules, in list order, to the fields in a packet or frame to check
for matching conditions. The ACL processes the traffic based on the actions
contained in the rules.
ACL rules are processed in list order, from the first to the last rule in the list.
ACL rules are processed in list order, from the first to the last rule in the list.
If a matching rule is found, the rule action is taken and no subsequent rules in
the list are processed for that packet. Frequently matched rules should be
placed near or at the front of the list. A list must have at least one permit
entry or all traffic is denied (dropped).
Egress ACLs filter switched traffic only. Packets generated by the switch are
Egress ACLs filter switched traffic only. Packets generated by the switch are
sent regardless of any egress ACL deny rules.
You can set up ACLs to control traffic at Layer 2, Layer 3, or Layer 4. MAC
ACLs operate on Layer 2. IP ACLs operate on Layers 3 and 4. Dell
Networking series switches support both IPv4 and IPv6 ACLs.
What Are MAC ACLs?
MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the
following fields of a packet:
• Source MAC address
• Source MAC mask
• Destination MAC address
• Destination MAC mask
• VLAN ID
• Class of Service (CoS) (802.1p)
• EtherType
• Source MAC mask
• Destination MAC address
• Destination MAC mask
• VLAN ID
• Class of Service (CoS) (802.1p)
• EtherType
L2 ACLs can apply to one or more interfaces.
Multiple access lists can be applied to a single interface; sequence number
Multiple access lists can be applied to a single interface; sequence number
determines the order of execution.
NOTE:
The last access group configured is terminated by an implicit deny all
rule, which drops any packet not matching a preceding rule.