1) 使用sdm prefer access分配置acl條目資源
2) L2 port只能在in向apply acl
3) traffic分為兩種:ip & mac
4) 三種過濾的應用:
L3 port acl, this acl access-control traffic between vlans, and apply to L3 interfaces.
L2 port acl, this acl access-control traffic entering a L2 interface.
vlan acl, all traffic in the same vlan(all packets, frames, no matter it's routed or bridged)
5) in向的acl, L3 acl(vlan acl)與mac acl相沖
6) IP datagrams encapsulated with dot1Q are *NOT* filtered by L3 acl, but mac acl.
7) routed port, SVI, L3 PAgP port both in&out
8) ip fragment 中僅第一個分片包含L4信息(tcp/udp, port,icmp type/code, etc)
9) when log keyword used in acl, icmp unreachable is caused, hardware process overload increase hugely
10) logging is not supported in port acl(l2 port acl)
11) 為了防止tcam table濫用:更改SDM模板,使用out bound acl,多用隱含的permit/deny
12) 3550不支持以下feature:
a) non-ip protocol acl
b) bridge-group acl
c) ip accounting
d) in/out bound rate-limit
e) ip header less then 5 bytes (icmp parameters error)
f) reflexive acl
g) lock&key acl
h) L2 port not support logging, can't apply to the interface outbound.