Netgear XCM8806 - 8800 SERIES 6-SLOT CHASSIS SWITCH 사용자 설명서
314
|
Chapter 13. ACLs
NETGEAR 8800 User Manual
Notice that the
conditions
parameter is a quoted string that corresponds to the match
conditions in the
if { ... }
portion of the ACL policy file entry. The individual match
conditions are concatenated into a single string. The
actions
parameter corresponds to the
then { ... }
portion of the ACL policy file entry.
From the command line, you can get a list of match conditions and actions by using the
following command:
following command:
check policy attribute {<attr>}
The ACL rule shown in the example will be saved when the save command is executed,
because the optional keyword
because the optional keyword
non-permanent
was not configured. This allows the rule to
persist across system reboots.
Note also that the sample ACL rule does not specify an application to which the rule belongs.
The default application is CLI.
The default application is CLI.
Limitations
Dynamic ACL rule names must be unique, but can be the same as used in a policy file-based
ACL. Any dynamic rule counter names must be unique.
ACL. Any dynamic rule counter names must be unique.
Configuring the ACL Rule on the Interface
After a dynamic ACL rule has been created, it can be applied to a port, VLAN, or to the
wildcard
wildcard
any
interface. When the ACL is applied, you specify the precedence of the rule
among the dynamic ACL rules. To configure the dynamic ACL rule on an interface, use the
following command:
following command:
configure access-list add <dynamic_rule> [ [[first | last] {priority
<p_number>} {zone <zone>} ] | [[before | after] <rule>] | [ priority <p_number>
{zone <zone>} ]] [ any | vlan <vlanname> | ports <portlist> ] {ingress | egress}
To remove a dynamic ACL from an interface, use the following command:
configure access-list delete <ruleName> [ any | vlan <vlanname> | ports
<portlist> | all] {ingress | egress}
An ACL can be created to be used when an edge port detects a loop. This ACL acts to block
looped frames while allowing the port to remain in a forwarding state rather than shutting
down. To configure a dynamic ACL for blocking looped STP BPDUs on port 6, for example,
use the following:
looped frames while allowing the port to remain in a forwarding state rather than shutting
down. To configure a dynamic ACL for blocking looped STP BPDUs on port 6, for example,
use the following:
create access-list bpdu1 "ethernet-destination-address \
01:80:C2:00:00:00;" "deny; count bpdu1"
conf access-list add "bpdu1" first ports 6 ingress
To configure a dynamic ACL for blocking PVST frames on port 6, use the following:
create access-list bpdu2 "ethernet-destination-address \
01:00:0c:cc:cc:cd;" "deny; count bpdu2"