General ACL operations
-
ACLs do not provide DNS host name support. ACLs cannot be configured to screen host name IP traffic between the switch and a DNS.
-
ACLs do not affect serial port access. ACLs do not apply to the switch’s serial port.
-
ACL screening of IPv6 traffic generated by the switch. Outbound IPv6 RACL applications on a switch do not screen IPv6 traffic (such as broadcasts, Telnet, Ping, and ICMP replies) generated by the switch itself. All ACLs applied on the switch do screen this type of traffic when other devices generate it. Similarly, all ACL applications can screen responses from other devices to unscreened IPv6 traffic the switch generates.
-
ACL logging
-
The ACL logging feature generates a message only when packets are explicitly denied as the result of a match, and not when explicitly permitted or implicitly denied. To help test ACL logging, configure the last entry in an ACL as an explicit
deny
statement with alog
statement included and apply the ACL to an appropriate port or VLAN. -
A detailed event will be logged for the first packet that matches a “deny” or “permit” ACL logged entries with the appropriate action specified.
-
Subsequent packets matching ACL logged entries will generate a new event that summarizes the number of packets that matched each specific entry (with the time period).
-
Logging enables you to selectively test specific devices or groups. However, excessive logging can affect switch performance. For this reason, E recommends that you remove the logging option from ACEs for which you do not have a present need.
-
Also, avoid configuring logging where it does not serve an immediate purpose. (ACL logging is not designed to function as an accounting method.)
-
-
When configuring logging, you can reduce excessive resource use by configuring the appropriate ACEs to match with specific hosts instead of entire subnets. For more information on resource usage, see page Deleting an ACL in the Running Configuration.
-
Minimum number of ACEs in an IPv6 ACL. An IPv6 ACL must include at least one ACE to enable traffic screening. An IPv6 ACL can be created "empty", that is, without any ACEs. However, if an empty ACL is applied to an interface, the Implicit Deny function does not operate, and the ACL has no effect on traffic.
-
Monitoring shared resources. Applied ACLs share internal switch resources with several other features. However, if the internal resources become fully subscribed, additional ACLs cannot be applied until the necessary resources are released from other applications. For information on determining current resource availability and usage, see the latest Aruba-OS Switch Management and Configuration Guide for your switch.
-
Protocol support. ACL criteria does not include use of MAC address information or QoS.
-
Replacing or adding to an active IPv6 ACL policy. If you assign an IPv6 ACL to an interface and subsequently add or replace ACEs in that ACL, each new ACE becomes active when you enter it. If the ACL is configured on multiple interfaces when the change occurs, the switch resources must accommodate all applications of the ACL. If there are insufficient resources to accommodate one of several ACL applications affected by the change, the change is not applied to any of the interfaces and the previous version of the ACL remains in effect.
-
"Strict" IPv6 TCP and UDP.When the IPv6 ACL configuration includes TCP or UDP options, the switch operates in "strict" TCP and UDP mode for increased control. In this case, the switch compares all IPv6 TCP and UDP packets against the IPv6 ACLs.