D-Link DWS-3000 manual Access Control Lists ACLs, Limitations

16

Access Control Lists (ACLs)

This section describes the Access Control Lists (ACLs) feature.

Overview

Access Control Lists (ACLs) are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources. Normally ACLs reside in a firewall router or in a router connecting two internal networks.

ACL Logging provides a means for counting the number of “hits” against an ACL rule. When you configure ACL Logging, you augment the ACL deny rule specification with a ‘log’ parameter that enables hardware hit count collection and reporting. The D-Link DWS-3000 switch uses a fixed five minute logging interval, at which time trap log entries are written for each ACL logging rule that accumulated a non-zero hit count during that interval. You cannot configure the logging interval.

You can set up ACLs to control traffic at Layer 2, Layer 3, or Layer 4. MAC ACLs operate on Layer 2. IP ACLs operate on Layers 3 and 4.

Limitations

The following limitations apply to ACLs.

•Maximum of 100 ACLs.

•Maximum rules per ACL is 10.

•The system supports ACLs set up for inbound traffic only.

•The system does not support MAC ACLs and IP ACLs on the same interface.

•It may not be possible to log every ACL rule due to limited hardware counter resources. You can define an ACL with any number of logging rules, but the number of rules that are actually logged cannot be determined until the ACL is applied to an interface. Further- more, hardware counters that become available after an ACL is applied are not retroac- tively assigned to rules that were unable to be logged (the ACL must be un-applied then re-applied). Rules that are unable to be logged are still active in the ACL for purposes of permitting or denying a matching packet.

Overview 95