Controller Security
Summit WM3000 Series Controller System Reference Guide320
● Wireless LAN ACLs - A Wireless LAN ACL is designed to filter/mark packets based on the wireless
LAN from which they arrived rather than filtering the packets arrived on Layer 2 ports.
For more information, see
● Router ACLs
● Port ACLs
● Wireless LAN ACLs
● ACL Actions
● Precedence Order
Router ACLs
Router ACLs are applied to Layer 3 or VLAN interfaces. If an ACL is already applied in a particular
direction on an interface, applying a new one will replace the existing ACL. Router ACLs are applicable
only if the controller acts as a gateway, and traffic is inbound only.
The controller supports two types of Router ACLs:
● Standard IP ACL—Uses the source IP address as matching criteria.
● Extended IP ACL—Uses the source IP address, destination IP address and IP protocol type as basic
matching criteria. It can also include other parameters specific to a protocol type (like source and
destination port for TCP/UDP protocols).
Router ACLs are stateful and are not applied on every packet routed through the controller. Whenever a
packet is received from a Layer 3 interface, it is examined against existing sessions to determine if it
belongs to an established session. ACLs are applied on the packet in the following manner.
1 If the packet matches an existing session, it is not matched against ACL rules and the session decides
where to send the packet.
2 If no existing sessions match the packet, it is matched against ACL rules to determine whether to
accept or reject it. If ACL rules accept the packet, a new session is created and all further packets
belonging to that session are allowed. If ACL rules reject the packet, no session is established.
A session is computed based on:
● Source IP address
● Destination IP address
● Source Port
● Destination Port
● ICMP identifier
● Incoming interface index
● IP Protocol
Port and router ACLs can be applied only in an inbound direction. WLAN ACLs support applying ACLs in the
inbound and outbound direction.
To Next Page
Loading...