Manualshelf

Owner's Manual

ManualsBrandsNetgear ManualsHubsNetgear XCM8806
311312313314315316317318319320
320 | Chapter 13. ACLs
NETGEAR 8800 User Manual
counter, could count the packet more than once. Do not use
precedence to control counter usage; define different counters for
different cases. For details of this behavior on different platforms,
see, ACL Slices and Rules on page 325.
Precedence of Dynamic ACLs
Dynamic ACLs have a higher precedence than any ACLs applied using policy files. The
precedence among any dynamic ACLs is determined as they are configured. The
precedence of ACLs applied using policy files is determined by the rule’s relative order in the
policy file.
Precedence of L2/L3/L4 ACL Entries
Rule precedence is solely determined by the rule’s relative order. L2, L3, and L4 rules are
evaluated in the order found in the file or by dynamic ACL configuration.
Precedence Among Interface Types
As an example of precedence among interface types, suppose a physical port 1:2 is a
member port of the VLAN yellow. ACLs could be configured on the port, either singly or as
part of a port list, on the VLAN yellow, and on all ports in the switch (the wildcard ACL). For all
packets crossing this port, the port-based ACL has highest precedence, followed by the
VLAN-based ACL and then the wildcard ACL.
Precedence with Egress ACLs
Egress ACL lookup happens at egress, and diffserv, dot1p and other non-ACL feature
examination happen at ingress. Therefore, egress ACL happens at the last moment and has
precedence.
Redundant Rules
For NETGEAR 8800 series switches, eliminate redundant rules (any with the EXACT same
match criteria) in the policy file. If two rules have identical match conditions, but different
actions, the second rule is rejected by the hardware.
For example, the two following ACL entries are not allowed:
entry DenyNMR {
if {
protocol 17;
destination-port 161;
} then {
deny;
count denyNMR;
}
}