Configuring Access Control Lists 517
A named time range can contain up to 10 configured time ranges. Only one
absolute time range can be configured per time range. During the ACL
configuration, you can associate a configured time range with the ACL to
provide additional control over permitting or denying a user access to network
resources.
Benefits of using time-based ACLs include:
• Providing more control over permitting or denying a user access to
resources, such as an application (identified by an IP address/mask pair and
a port number).
• Providing control of logging messages. Individual ACL rules defined within
an ACL can be set to log traffic only at certain times of the day so you can
simply deny access without needing to analyze many logs generated during
peak hours.
What Are the ACL Limitations?
The following limitations apply to ingress and egress ACLs.
• Maximum of 100 ACLs.
• Maximum rules per ACL is a maximum of 1023 rules, with 1023 ingress
and 511 egress IPv4 rules or 509 ingress and 253 egress IPv6 rules.
• You can configure mirror or redirect attributes for a given ACL rule, but
not both.
•The
PowerConnect 8000/8100-series switches
support a limited number
of counter resources, so it may not be possible to log every ACL rule. You
can define an ACL with any number of logging rules, but the number of
rules that are actually logged cannot be determined until the ACL is
applied to an interface. Furthermore, hardware counters that become
available after an ACL is applied are not retroactively assigned to rules that
were unable to be logged (the ACL must be un-applied then re-applied).
Rules that are unable to be logged are still active in the ACL for purposes
of permitting or denying a matching packet. If console logging is enabled
and the severity is set to Info (6) or a lower severity, a log entry may appear
on the screen.
• The order of the rules is important: when a packet matches multiple rules,
the first rule takes precedence. Also, once you define an ACL for a given
port, all traffic not specifically permitted by the ACL is denied access.
To Next Page
Loading...
