Filter
Top Products
DES-7200 Configuration Guide Chapter 1 Access Control List
Configuration
1-5
Caution
1. When associating SVI with the ACL at the outbounding direction,
you should note that:
Standard IP ACL, extended IP ACL, extended MAC ACL and
expert ACL are supported.
There are some limits on matching the destination IP address and
the destination MAC address in an ACL. When you configure to
match the destination MAC address in an extended MAC ACL or
expert ACL and then apply this ACL to the outbounding direction
of SVI, the entry will be set, but will not take effect. If you need to
match the destination IP address not in the subnet IP range of the
associated SVI in the standard IP ACL, extended IP ACL or expert
ACL, this ACL will not take effect. For example, VLAN 1’s IP
address is 192.168.64.1 255.255.255.0. Now you create an ACL
with the ACE of deny udp any 192.168.65.1 0.0.0.255 eq 255
and apply this ACL at the egress of VLAN 1. This ACL will not
function for the destination IP address is not in the subnet IP
range of VLAN 1. If the ACE is deny udp any 192.168.64.1
0.0.0.255 eq 255, this ACL will take effect.
2. For the DES-7200 series, with the input ACL and DOT1X, global
IP+MAC binding, port security and IP Source Guard co-used, the
Permit and default Deny ACEs are ineffective and other Deny ACEs
take effect.
3. For the DES-7200 series, with the input ACL and QOS co-used, the
Permit ACEs are ineffective while other Deny ACEs take effect. The
default Deny ACE behind the QoS entry takes effect.
4. For the 7200-24, 7200-24G, 7200-48, 7200-48P, 7200-2XG,
7200-4XG and 7200-24P line cards of DES-7200, after applying the
ACL to the incoming direction of the multi-SVIs and increasing the
ACEs in the ACL, it may fail to configured the ACLs on the SVI due to
the insufficient hardware capacity after configuration save and device
reload.
5. When configuring the expert ACL and applying it to the outbounding
direction of the interface, if some ACEs in the ACL contains the layer-3
matching information(such as IP, L4 port), it leads to the failure of
controlling the non-IP packets transmitted on the interface by the ACL
permit and deny rules.
6. When applying the ACL, if the ACEs in the ACL(including IP access
list and expert extended access list) match with the non-L2 field(such
as SIP, DIP), the tagged MPLS packet matching is invalid.