beautypg.com

Maximum entries – Extreme Networks 200 Series User Manual

Page 121

background image

Using Access Control Lists

Summit 200 Series Switch Installation and User Guide

119

NOTE

For an example of using the permit-established keyword, refer to “Using the Permit-Established
Keyword” on page 124
.

The permit-established keyword denies the access control list. Having a permit-established access
control list blocks all traffic that matches the TCP source/destination, and has the SYN=1 and ACK=0
flags set.

Adding Access Mask, Access List, and Rate Limit Entries

Entries can be added to the access masks, access lists, and rate limits. To add an entry, you must supply
a unique name using the

create

command, and supply a number of optional parameters (see Table 32

for the full command syntax). For access lists and rate limits, you must specify an access mask to use.
To modify an existing entry, you must delete the entry and retype it, or create a new entry with a new
unique name.

To add an access mask entry, use the following command:

create access-mask ...

To add an access list entry, use the following command:

create access-list ...

To add a rate limit entry, use the following command:

create rate-limit ...

Maximum Entries

If you try to create an access mask when no more are available, the system will issue a warning
message. Three access masks are constantly used by the system, leaving a maximum of 13
user-definable access masks. However, enabling some features causes the system to use additional
access masks, reducing the number available.

For each of the following features that you enable, the system will use one access mask. When the
feature is disabled, the mask will again be available. The features are:

RIP

IGMP or OSPF (both would share a single mask)

DiffServ examination

QoS monitor

The maximum number of access list allowed by the hardware is 254 for each block of eight
10/100 Mbps Ethernet ports and 126 for each Gbps Ethernet port, for a total of 1014 rules (254*3+126*2).
Most user entered access list commands will require multiple rules on the hardware. For example, a
global rule (an access control list using an access mask without “ports” defined), will require 5 rules,
one for each of the 5 blocks of ports on the hardware.

The maximum number of rate-limiting rules allowed is 315 (63*5). This number is part of the total
access control list rules (1014).