Manualshelf

Reference Guide

ManualsBrandsDell ManualsserversDell Force10 E600i
141142143144145146147148149150
144 | IP Access Control Lists (ACL), Prefix Lists, and Route-maps
www.dell.com | support.dell.com
Configuring Layer 2 and Layer 3 ACLs on an Interface
Both Layer 2 and Layer 3 ACLs may be configured on an interface in Layer 2 mode. If both L2 and L3
ACLs are applied to an interface, the following rules apply:
The packets routed by FTOS are governed by the L3 ACL only, since they are not filtered against an
L2 ACL.
The packets switched by FTOS are first filtered by the L3 ACL, then by the L2 ACL.
When packets are switched by FTOS, the egress L3 ACL does not filter the packet.
For the following features, if counters are enabled on rules that have already been configured and a new
rule is either inserted or prepended, all the existing counters will be reset:
L2 Ingress Access list
L3 Egress Access list
L2 Egress Access list
If a rule is simply appended, existing counters are not affected.
For information on MAC ACLs, refer to the Access Control Lists (ACLs) chapter in the FTOS Command
Line Reference Guide.
Table 10-2. L2 and L3 ACL Filtering on Switched Packets
L2 ACL Behavior L3 ACL Behavior Decision on Targeted Traffic
Deny Deny Denied by L3 ACL
Deny Permit Permitted by L3 ACL
Permit Deny Denied by L2 ACL
Permit Permit Permitted by L2 ACL
Note: If an interface is configured as a “vlan-stack access” port, the packets are filtered by an L2 ACL
only. The L3 ACL applied to such a port does not affect traffic. That is, existing rules for other features
(such as trace-list, PBR, and QoS) are applied accordingly to the permitted traffic.