ACL for the SBx3112 Introduction
6-33
Software Reference for SwitchBlade x3100 Series Switches (Access and Security)
• TCP source and/or destination port numbers.
• APPLICATION abstract rule types that provide a predefined set of rules such as a rule to permit or deny
NETBIOS, DHCP and subscriber multicast traffic (FUM). These rule attributes are expanded by the
internal traffic management system into one or more classifiers.
Note: Application ACLs (for example NETBIOS ACL) do not cover protocols running over IPX.
6.4.3 ACL for the SBx3112
ACLs will also be qualified by the SBx3112 as follows:
• Conflicting match fields on a single rule will be rejected.
• Internally, there are some automatic match qualifications that are derived. For example, if the user con-
figures an access list with a TCP source port rule, the system will automatically add match qualifiers for
the layer 2 protocol field to be IPv4, and the IP protocol field to be TCP.
The SB x3112 supports up to 96 rules per ACL (+ 1 default deny rule), while the iMAP supports up to 35 rules
per ACL.
On a card basis:
• XE4 - can hold a full access list of 96 rules on all 4 ports
• GE24POE - up to 44 rules of the same type per port
• GE24SFP - up to 44 rules of the same type per port.
6.4.4 Configuring ACL
6.4.4.1 Default Configuration
When the SBx3112 is first installed and in service, there are no ACCESSLIST names.
6.4.4.2 Configuration Guidelines
•
If enabled for filtering of dynamically learned DHCP IP addresses, dynamic DHCP IP filters are preserved.
• The user can set the default DENY or PERMIT rule for accesslists using the CREATE or SET ACCESSLIST
command. See the example that follows for details.
• Filtering can be applied to the MGMT and inband interfaces. This allows the user to block certain packets at
thc CFC CPU preventing them from being processed.
• Hardware classification resources on ingress ports are limited. In the event the system experiences conten-
tion for resources, an alarm will be raised on the port.
• The user is not allowed to add an access list to a port that currently has classifiers in the precedence range
reserved for access lists. The user must remove those classifiers on the port before being allowed to add the
access list.
To Next Page
Loading...
Need help?
General
