DELL N3000 User Manual

Configuring Access Control Lists

permit ip 10.0.46.0 0.0.1.255 any

• Inbound rule allowing access TO hosts with IP addresses ranging from 

10.0.48.0 to 10.0.49.254:

permit ip any 10.0.48.0 0.0.1.255 

As the last rule in an administrator-defined list, the narrower scope of this 

inbound rule has no effect other than to possibly interfere with switch 

operations. The system installs an implicit deny every rule after the end of 

the last access group bound to an interface:

deny ip any any

The switch installs a number of internal ACLS to trap packets to the CPU for 

processing. Examples of these types of packets are spanning tree BPDUs, 

IEEE 802.1x EAPOL packets, iSCSI packets, IP source guard packets, LLPF 

packets, LLDP packets, IEEE 802.1AD packets, etc. These internal ACLs are 

generally configured at the lowest priority (higher numerically) so that the 

switch administrator, through the use of ACLs, can override the default 

switch behavior. Some of the system rules are installed when the 

administrator enables specific protocols; other rules are always present and 

may have their behaviors altered by enabling or disabling protocols. For 

example, spanning tree BPDUs, LLDP packets, and IEEE 802.1X packets are 

never forwarded by the switch.

The following example is a complete inbound ACL that allows access for 

hosts connected to gi1/0/1 with IP address in 10.1.1.x range to send IP packets 

to 192.168.0.X hosts on gi1/0/2. IP packets not from 10.1.1.x addresses or not 

addressed to 192.168.0.x hosts are dropped. Packets with protocols other than 

IP, DNS, ARP, or ICMP are dropped. Allowing ICMP supports the 10.1.1.x 

hosts in reliably receiving and initiating TCP connections and pinging 

through the switch. This example also allows ARP and DNS packets to any 

destination and is suitable for an L2 switch.

mac access-list extended Allow-ARP

permit any any arp

exit