4 acl troubleshooting, 1 command for monitor and debug, Roubleshooting – Accton Technology ES4626 User Manual

773

Switch(Config-Ethernet1/10)#ip access-group 110 in

Switch(Config-Ethernet1/10)#exit

Switch(Config)#exit

Configuration result.:

Switch#show firewall

Firewall Status: Enable.

Firewall Default Rule: Permit.

Switch#show access-lists

access-list 110(used 1 time(s))

access-list 110 deny tcp 10.0.0.0 0.0.0.255 any-destination d-port 21

Switch#show access-group interface ethernet 1/10

interface name:Ethernet1/10

the ingress acl use in firewall is 110.

18.4 ACL Troubleshooting

z

Checking for entries in the ACL is done in a top-down order and ends whenever an

entry is matched.

z

Default rule will be used only if no ACL is bound to the specific direction of the port,

or no ACL entry is matched.

z

Applies to IP packets incoming on all ports, and has no effect on other types of

packets.

z

One port can bound to only one incoming ACL.

z

The number of ACLs that can be successfully bound depends on the content of the

ACL bound and the hardware resource limit. Users will be prompted if an ACL cannot

be bound due to hardware resource limitation.

z

If an access-list contains same filtering information but conflicting action rules,

binding to the port will fail with an error message. For instance, configuring “permit

tcp any any-destination” and “deny tcp any any-destination” at the same time is not

permitted.

z

Viruses such as “worm.blaster” can be blocked by configuring ACL to block specific

ICMP packets or specific TCP or UDP port packet.

18.4.1 Command for Monitor And Debug