10-11
IPv4 Access Control Lists (ACLs)
Terminology
Outbound Traffic: For defining the points where the switch applies an RACL
to filter traffic, outbound traffic is routed traffic leaving the switch
through a VLAN interface (or a subnet in a multinetted VLAN). “Outbound
traffic” can also apply to switched traffic leaving the switch on a VLAN
interface, however VACLs do not filter outbound switched traffic. (Refer
also to “ACL Applications” on page 10-13.)
Permit: An ACE configured with this action allows the switch to forward a
packet for which there is a match within an applicable ACL.
Permit Any Forwarding: An ACE configured with this action causes the
switch to forward IP packets that have not been permitted or denied by
earlier ACEs in the list. In a standard ACL, this is permit any. In an extended
ACL, it is permit ip any any. (This has no effect on packets that are not
filtered by the applicable ACL, such as switched packets entering or
leaving the switch on a VLAN to which an RACL is assigned.)
RACL: See “Routed ACL”.
RADIUS-Assigned ACL: An ACL assigned by a RADIUS server to a port to
filter inbound IP traffic from a client authenticated by the server for that
port. A RADIUS-assigned ACL can be configured (on a RADIUS) server to
filter inbound IPv4 and IPv6 traffic. When the client session ends, the
RADIUS-assigned ACL for that client is removed from the port. See also
“Implicit Deny”.
remark-str: The term used in ACL syntax statements to represent the variable
“remark string”; a set of alphanumeric characters you can include in a
remark in an ACL. A remark string can include up to 100 characters and
must be delimited by single or double quotes if any spaces are included
in the string.
Rate-Limit Port ACLs (RL-PACLs): allows you to create an ACL and apply
it on a per-port basis to rate-limit network traffic.
Routed ACL (RACL): An ACL applied to routed IPv4 traffic that is entering
or leaving the switch on a given VLAN. See also “Access Control List”.
SA: The acronym for Source Address. In an IPv4 packet, this is the source
IPv4 address carried in the IP header, and identifies the packet’s sender.
In a standard ACE, this is the IPv4 address used by the ACE to determine
whether there is a match between a packet and the ACE. In an extended
ACE, this is the first of two IPv4 addresses used by the ACE to determine
whether there is a match between a packet and the ACE. See also “DA”.
To Next Page
Loading...
