Configuring the ECN330-switch
1571553-KDU 137 365 Uen D 2006-06-16
specifying masks that control the order in which ACL rules are checked. The
ECN330-switch includes two system default masks that pass/filter packets
matching the permit/deny rules specified in an ingress ACL. Up to seven user-
defined masks can also be configured for an ACL. A mask must be bound
exclusively to one of the basic ACL types (that is, Ingress IP ACL, Egress IP
ACL, Ingress MAC ACL, Egress MAC ACL, or Ingress VLAN ACL), but a mask
can be bound to up to four ACLs of the same type.
The following filtering modes are supported:
• Standard IP ACL mode (STD-ACL) filters packets based on the source
IP address.
• Extended IP ACL mode (EXT-ACL) filters packets based on source or
destination IP address, as well as protocol type and protocol port
number. If the TCP protocol is specified, packets can also be filtered
based on the TCP control code.
• MAC ACL mode (MAC-ACL) filters packets based on the source or
destination MAC address and the Ethernet frame type (RFC 1060).
• VLAN ACL mode (VLAN ACL) controls filtering within a VLAN based on
specified IP or MAC ACLs.
Command Usage
The following restrictions apply to ACLs:
General Restrictions
• The ECN330-switch supports ACLs for both ingress and egress
filtering. However, only one IP ACL and one MAC ACL can be bound to
any port for ingress filtering, and one IP ACL and one MAC ACL to any
port for egress filtering. In other words, only four ACLs can be bound to
an interface – Ingress IP ACL, Egress IP ACL, Ingress MAC ACL and
Egress MAC ACL.
• When an ACL is bound to an interface as an egress filter, all entries in
the ACL must be deny rules. Otherwise, the bind operation will fail.
• The maximum number of ACLs is:
• Fast Ethernet ports - 193 rules, 2 masks shared by 8-port groups
• Gigabit Ethernet ports - 65 rules, 2 masks
To Next Page
Loading...
