SGS-6341-Series User Manual
Table Of Contents
- Chapter 1 INTRODUCTION
- Chapter 2 INSTALLATION
- Chapter 3 Switch Management
- Chapter 4 Basic Switch Configuration
- Chapter 5 File System Operations
- Chapter 6 Cluster Configuration
- Chapter 7 Port Configuration
- Chapter 8 Port Isolation Function Configuration
- Chapter 9 Port Loopback Detection Function Configuration
- Chapter 10 ULDP Function Configuration
- Chapter 11 LLDP Function Operation Configuration
- Chapter 12 Port Channel Configuration
- Chapter 13 MTU Configuration
- Chapter 14 EFM OAM Configuration
- Chapter 15 PORT SECURITY
- Chapter 16 DDM Configuration
- Chapter 17 LLDP-MED
- Chapter 18 bpdu-tunnel Configuration
- Chapter 19 EEE Energy-saving Configuration
- Chapter 20 VLAN Configuration
- Chapter 21 MAC Table Configuration
- Chapter 22 MSTP Configuration
- Chapter 23 QoS Configuration
- Chapter 24 Flow-based Redirection
- Chapter 25 Flexible Q-in-Q Configuration
- Chapter 26 Layer 3 Management Configuration
- Chapter 27 ARP Scanning Prevention Function Configuration
- Chapter 28 Prevent ARP Spoofing Configuration
- Chapter 29 ARP GUARD Configuration
- Chapter 30 Gratuitous ARP Configuration
- Chapter 31 DHCP Configuration
- Chapter 32 DHCPv6 Configuration
- Chapter 33 DHCP Option 82 Configuration
- Chapter 34 DHCP Option 60 and option 43
- Chapter 35 DHCPv6 Options 37, 38
- Chapter 36 DHCP Snooping Configuration
- Chapter 37 DHCP Snooping Option 82 Configuration
- Chapter 38 IPv4 Multicast Protocol
- Chapter 39 IPv6 Multicast Protocol
- Chapter 40 Multicast VLAN
- Chapter 41 ACL Configuration
- Chapter 42 802.1x Configuration
- 42.1 Introduction to 802.1x
- 42.2 802.1x Configuration Task List
- 42.3 802.1x Application Example
- 42.4 802.1x Troubleshooting
- Chapter 43 The Number Limitation Function of MAC and IP in Port, VLAN Configuration
- Chapter 44 Operational Configuration of AM Function
- Chapter 45 Security Feature Configuration
- 45.1 Introduction to Security Feature
- 45.2 Security Feature Configuration
- 45.2.1 Prevent IP Spoofing Function Configuration Task Sequence
- 45.2.2 Prevent TCP Unauthorized Label Attack Function Configuration Task Sequence
- 45.2.3 Anti Port Cheat Function Configuration Task Sequence
- 45.2.4 Prevent TCP Fragment Attack Function Configuration Task Sequence
- 45.2.5 Prevent ICMP Fragment Attack Function Configuration Task Sequence
- 45.3 Security Feature Example
- Chapter 46 TACACS+ Configuration
- Chapter 47 RADIUS Configuration
- Chapter 48 SSL Configuration
- Chapter 49 IPv6 Security RA Configuration
- Chapter 50 MAB Configuration
- Chapter 51 PPPoE Intermediate Agent Configuration
- Chapter 52 Web Portal Configuration
- Chapter 53 VLAN-ACL Configuration
- Chapter 54 SAVI Configuration
- Chapter 55 MRPP Configuration
- Chapter 56 ULPP Configuration
- Chapter 57 ULSM Configuration
- Chapter 58 Mirror Configuration
- Chapter 59 sFlow Configuration
- Chapter 60 RSPAN Configuration
- Chapter 61 ERSPAN
- Chapter 62 SNTP Configuration
- Chapter 63 NTP Function Configuration
- Chapter 64 Summer Time Configuration
- Chapter 65 DNSv4/v6 Configuration
- Chapter 66 Monitor and Debug
- Chapter 67 Reload Switch after Specified Time
- Chapter 68 Debugging and Diagnosis for Packets Received and Sent by CPU
- Chapter 69 Dying Gasp Configuration
- Chapter 70 PoE Configuration
41.4 ACL Troubleshooting
Checking for entries in the ACL is done in a top-down order and ends whenever an entry
is matched.
Default rule will be used only if no ACL is bound to the incoming direction of the port, or
no ACL entry is matched.Each ingress port can bind one MAC-IP ACL, one IP ACL, one
MAC ACL, one IPv6 ACL (via the physical interface mode or Vlan interface mode).
When binding four ACL and packet matching several ACL at the same time, the priority
relations are as follows in a top-down order. If the priority is same, then the priority of
configuration at first is higher.
Ingress IPv6 ACL
Ingress MAC-IP ACL
Ingress IP ACL
Ingress MAC ACL
The number of ACLs that can be successfully bound depends on the content of the ACL
bound and the hardware resource limit. Users will be prompted if an ACL cannot be
bound due to hardware resource limitation.
If an access-list contains same filtering information but conflicting action rules, binding to
the port will fail with an error message. For instance, configuring “permit tcp any
any-destination” and “deny tcp any any-destination” at the same time is not permitted.
Viruses such as “worm.blaster” can be blocked by configuring ACL to block specific ICMP
packets or specific TCP or UDP port packet.
If the physical mode of an interface is TRUNK, ACL can only be configured through
physical interface mode.
ACL configured in the physical mode can only be disabled in the physical mode. Those
configured in the VLAN interface configuration mode can only be disabled in the VLAN
interface mode.
When a physical interface is added into or removed from a VLAN (with the trunk
interfaces as exceptions), ACL configured in the corresponding VLAN will be bound or
unbound respectively. If ACL configured in the target VLAN, which is configured in VLAN
interface mode, conflicts with existing ACL configuration on the interface, which is
configured in physical interface mode, the configuration will fail to effect.
When no physical interfaces are configured in the VLAN, the ACL configuration of the
VLAN will be removed. And it can not recover if new interfaces are added to the VLAN.
When the interface mode is changed from access mode to trunk mode, the ACL
configured in VLAN interface mode which is bound to physical interface will be removed.
And when the interface mode is changed from trunk mode to access mode, ACL
configured in VLAN1 interface mode will be bound to the physical interface. If binding
fails, the changing will fail either.
When removing a VLAN configuration, if there are any ACLs bound to the VLAN, the ACL
41-69
User’s Manual of SGS-6341 series