C
HAPTER
14
| Security Measures
Access Control Lists
– 308 –
ACCESS CONTROL LISTS
Access Control Lists (ACL) provide packet filtering for IPv4 frames (based
on address, protocol, Layer 4 protocol port number or TCP control code),
IPv6 frames (based on address, DSCP, or next header type), or any frames
(based on MAC address or Ethernet type). To filter incoming packets, first
create an access list, add the required rules, and then bind the list to a
specific port.
Configuring Access Control Lists –
An ACL is a sequential list of permit or deny conditions that apply to IP
addresses, MAC addresses, or other more specific criteria. This switch tests
ingress packets against the conditions in an ACL one by one. A packet will
be accepted as soon as it matches a permit rule, or dropped as soon as it
matches a deny rule. If no rules match, the packet is accepted.
COMMAND USAGE
The following restrictions apply to ACLs:
â—† The maximum number of ACLs is 64.
â—† The maximum number of rules per system is 512 rules.
â—† An ACL can have up to 64 rules. However, due to resource restrictions,
the average number of rules bound to the ports should not exceed 20.
The order in which active ACLs are checked is as follows:
1. User-defined rules in IP and MAC ACLs for ingress ports are checked in
parallel.
2. Rules within an ACL are checked in the configured order, from top to
bottom.
3. If the result of checking an IP ACL is to permit a packet, but the result
of a MAC ACL on the same packet is to deny it, the packet will be
denied (because the decision to deny a packet has a higher priority for
security reasons). A packet will also be denied if the IP ACL denies it
and the MAC ACL accepts it.
To Next Page
Loading...
Need help?
General