Configuring Access Control Lists 543
A named time range can contain up to 10 configured time ranges. Only one
absolute time range can be configured per time range. During the ACL
configuration, you can associate a configured time range with the ACL to
provide additional control over permitting or denying a user access to network
resources.
Benefits of using time-based ACLs include:
• Providing more control over permitting or denying a user access to
resources, such as an application (identified by an IP address/mask pair and
a port number).
• Providing control of logging messages. Individual ACL rules defined within
an ACL can be set to log traffic only at certain times of the day so you can
simply deny access without needing to analyze many logs generated during
peak hours.
What Are the ACL Limitations?
The following limitations apply to ingress and egress ACLs.
• Maximum of 100 ACLs.
• Maximum rules per ACL is 127.
• You can configure mirror or redirect attributes for a given ACL rule, but
not both.
• The PowerConnect 7000 Series switches support a limited number of
counter resources, so it may not be possible to log every ACL rule. You can
define an ACL with any number of logging rules, but the number of rules
that are actually logged cannot be determined until the ACL is applied to
an interface. Furthermore, hardware counters that become available after
an ACL is applied are not retroactively assigned to rules that were unable
to be logged (the ACL must be un-applied then re-applied). Rules that are
unable to be logged are still active in the ACL for purposes of permitting or
denying a matching packet. If console logging is enabled and the severity is
set to Info (6) or a lower severity, a log entry may appear on the screen.
• The order of the rules is important: when a packet matches multiple rules,
the first rule takes precedence. Also, once you define an ACL for a given
port, all traffic not specifically permitted by the ACL is denied access.
To Next Page
Loading...
