Maximum entries – Extreme Networks 200 Series User Manual
Page 121
Using Access Control Lists
Summit 200 Series Switch Installation and User Guide
119
NOTE
For an example of using the permit-established keyword, refer to “Using the Permit-Established
Keyword” on page 124.
The permit-established keyword denies the access control list. Having a permit-established access
control list blocks all traffic that matches the TCP source/destination, and has the SYN=1 and ACK=0
flags set.
Adding Access Mask, Access List, and Rate Limit Entries
Entries can be added to the access masks, access lists, and rate limits. To add an entry, you must supply
a unique name using the
create
command, and supply a number of optional parameters (see Table 32
for the full command syntax). For access lists and rate limits, you must specify an access mask to use.
To modify an existing entry, you must delete the entry and retype it, or create a new entry with a new
unique name.
To add an access mask entry, use the following command:
create access-mask
To add an access list entry, use the following command:
create access-list
To add a rate limit entry, use the following command:
create rate-limit
Maximum Entries
If you try to create an access mask when no more are available, the system will issue a warning
message. Three access masks are constantly used by the system, leaving a maximum of 13
user-definable access masks. However, enabling some features causes the system to use additional
access masks, reducing the number available.
For each of the following features that you enable, the system will use one access mask. When the
feature is disabled, the mask will again be available. The features are:
•
RIP
•
IGMP or OSPF (both would share a single mask)
•
DiffServ examination
•
QoS monitor
The maximum number of access list allowed by the hardware is 254 for each block of eight
10/100 Mbps Ethernet ports and 126 for each Gbps Ethernet port, for a total of 1014 rules (254*3+126*2).
Most user entered access list commands will require multiple rules on the hardware. For example, a
global rule (an access control list using an access mask without “ports” defined), will require 5 rules,
one for each of the 5 blocks of ports on the hardware.
The maximum number of rate-limiting rules allowed is 315 (63*5). This number is part of the total
access control list rules (1014).