139
ï‚·
Providing control of logging messages. Individual ACL rules defined within an ACL can be set
to log traffic only at certain times of the day so you can simply deny access without needing
to analyze many logs generated during peak hours.
4.3.7. ACL Rule Remarks
ACL remarks can be added to ACLs rule to assist users in understanding the rules. Users can add up to 10
remarks per rule, up to 100 characters each (including
alphanumeric
characters and special characters such
as space, hyphen, and underscore. One or more remarks are associated with the rule that is created
immediately after the remarks are created and are deleted when the associated rule is deleted. They can be
viewed using the show running-config command but do not display using the show access-lists
commands.
4.3.8. ACL Rule Priority
A sequence number cab be added to ACL rule entries to facilitate
resequencing
them. When a new ACL rule
entry is added, a unique sequence number can be specified so that the new ACL rule entry is placed in the
desired position in the access list.
If no sequence number is specified, then the rule is assigned a sequence number that is 10 greater than the
highest existing sequence number for the rule (that is, it is made the lowest-priority rule); or, if the rule is the
first one created for the ACL, it is assigned sequence number 10.
4.3.9. ACL Limitations
The following limitations apply to ingress and egress ACLs.
ï‚·
Maximum of 100 ACLs.
ï‚·
Maximum number configurable rules per list is 1023.
ï‚·
Maximum ACL rules (system-wide) for ingress is 4096
ï‚·
Maximum ACL rules (system-wide) for egress is 1024
ï‚·
You can configure mirror or redirect attributes for a given ACL rule, but not both.
ï‚·
The switch hardware supports a limited number of counter resources, so it may not be
possible to log every ACL rule. You can define an ACL with any number of logging rules, but the
number of rules that are actually logged cannot be determined until the ACL is applied to an
interface. Furthermore, hardware counters that become available after an ACL is applied are
not retroactively assigned to rules that were unable to be logged (the ACL must be un-
applied then re-applied). Rules that are unable to be logged are still active in the ACL for
purposes of permitting or denying a matching packet. If console logging is enabled and the
severity is set to Info (6) or a lower severity, a log entry may appear on the screen.
ï‚·
The order of the rules is important: when a packet matches multiple rules, the first rule takes
precedence.
Also, once you define an ACL for a given port, all traffic not specifically permitted by the ACL is denied access.
To Next Page
Loading...
Need help?
General