Introduction Configuring ACL
Software Reference for SwitchBlade x3100 Series Switches (Access and Security)
6-34
• Mapping of a classifier configuration port alarm will not be direct. If an accesslist configuration error occurs,
a system alarm or error indication will be generated. The user can observe, using the SHOW ALARMS
command, an error against an ACL. From there, the user can use the
SHOW ALARMS command on the port
in combination with SHOW ACCESSLIST <acl-name> INTERFACE <interface-name> and SHOW CLASSIFIER
ALL on the interface command to understand the root cause of the alarm. The cause of the error will be
r
ev
ealed in the SHO
W A
CCESSLIST <acl-n
ame> IN
TERFACE <interface-name> output. Users can nor-mally diagnose the error from that output. To see exactly which classifier caused the problem use SHOW
CLASSIFIER ALL INTERFACE <interface-name> FULL (note that this is usually not required).
• The user must be careful when applying the FUM (From User Multicast) application rule. If applied to the
wrong upstream port, for example a GE port, multicast video could be disabled for the whole system. Refer
to 6.3.2 on using classifiers.
• Because accesslists use classifiers, the user may observe classifier configuration failure logs/alarms when
configuring ACLs. Refer to the Allied Telesis Log Manual for information about classifier configuration failure.
• The user also cannot apply a classifier or access list to an empty LAG (i.e. one with no port members).
Note: The system will generate a warning message informing the user if or when resources have been
exceeded. The user should investigate classifier-related provisioning, such as IGMP, DHCPRELAY,
VLAN (for per-VLAN UFO and HVLAN), EPSR, INTERFACE (TAGALL option for HVLAN),
ACCESSLIST, and CLASSIFIER to determine the reason for the message.
• For the access list name of Application a match rule of DHCPCLIENT or DHCPSERVER (in Ta ble 6 - 7) fil-
ters on the destination DHCP traffic. In other words a match rule of DHCPCLIENT will filter on the inter-
face's ingress traffic that has a destination to the dhcp client and the match rule of DHCPSERVER will filter
on the interface's ingress traffic that has a destination to the dhcp server.
6.4.4.3 Configuration Procedure for ACL
The general sequence to configure an ACL is to:
• Create the ACCESSLIST; if this is for one rule, and interfaces are associated, the ACL is provisioned.
• Add rules to the ACCESSLIST; a rule can also be placed BEFORE an existing rule so that it takes higher pre-
cedence over the existing rule, or AFTER an existing rule so that it takes a lower precedence over the
existing rule.
• Add the ACCESSLIST to an interface or set of interfaces.
The general sequence to deprovision an ACCESSLIST is to:
• DELETE the ACCESSLIST from the associated interfaces.
• DESTROY the ACCESSLIST
In the following procedure, the user wishes to only allow traffic originated from a range of IP addresses
assigned to customers using the user’s set-top boxes (172.16.5.0 – 172.16.5.15).
To Next Page
Loading...
Need help?
General
