ExtremeWare XOS 11.3 Concepts Guide
261
13 Access Lists (ACLs)
This chapter describes the following topics:
â—Ź ACLs on page 261
â—Ź ACL Policy File Syntax on page 262
â—Ź Dynamic ACLs on page 268
â—Ź ACL Evaluation Precedence on page 269
● ACL Metering—BlackDiamond 8800 Family and Summit X450 Only on page 271
â—Ź Applying ACL Policy Files on page 272
â—Ź Displaying and Clearing ACL Counters on page 273
â—Ź Example ACL Rule Entries on page 273
ACLs
ACLs are used to perform packet filtering and forwarding decisions on traffic traversing the switch.
Each packet arriving on an ingress port and/or VLAN is compared to the access list applied to that
interface and is either permitted or denied. On the BlackDiamond 10K switch, packets egressing an
interface can also be filtered, however, only a subset of the filtering conditions available for ingress
filtering are available for egress filtering. In addition to forwarding or dropping packets that match an
ACL, the switch can also perform additional operations like incrementing counters, logging packet
headers, mirroring traffic to a monitor port, sending the packet to a QoS profile, and, for the
BlackDiamond 8800 family and Summit X450 switches only, meter the packets to control bandwidth.
Using ACLs has no impact on switch performance (with the minor exception of the mirror-cpu action
modifier).
ACLs are typically applied to traffic that crosses Layer 3 router boundaries, but it is possible to use
access lists within a Layer 2 virtual LAN (VLAN).
ACLs in ExtremeWare XOS apply to all traffic. This is somewhat different from the behavior in
ExtremeWare. For example, if you deny all the traffic to a port, no traffic, including control packets, such
as OSPF or RIP, will reach the switch and the adjacency will be dropped. You must explicitly allow
those type of packets (if desired). In ExtremeWare, an ACL that denied “all” traffic would allow control
packets (those bound for the CPU) to reach the switch.
ACLs are often referred to as access lists.
ACLs are created in two different ways. One method is to create an ACL policy file and apply that ACL
policy file to a list of ports, a VLAN, or to all interfaces. This first method creates ACLs that can be
persistent across switch reboots, can contain a large number of rule entries, and are all applied at the
same time. See “ACL Policy File Syntax” on page 262 for information about creating ACLs using policy
files. For information about creating policy files, see Chapter 12, “Policy Manager”.
The second method to create an ACL is to use the CLI to specify a single rule, called a dynamic ACL.
Dynamic ACLs do not persist across a reboot and consist of only a single rule. Multiple dynamic ACLs
To Next Page
Loading...
Need help?
General
