© Copyright IBM Corp. 2011 Chapter 7. Access Control Lists 83
Of the matching ACLs permitted, each configured ACL action is applied in
sequence, based on ACL number, with the lowest-numbered ACL’s action
applied first. If an ACL action contradicts a preceding ACL (one with a lower ACL
number), the action of the higher-numbered ACL is ignored.
If no assigned ACL matches the port traffic, no ACL action is applied.
ACL Groups
To assist in organizing multiple ACLs and assigning them to ports, you can place
ACLs into ACL Groups, thereby defining complex traffic profiles. ACLs and ACL
Groups can then be assigned on a per-port basis. Any specific ACL can be assigned
to multiple ACL Groups, and any ACL or ACL Group can be assigned to multiple
ports. If, as part of multiple ACL Groups, a specific ACL is assigned to a port multiple
times, only one instance is used. The redundant entries are ignored.
• Individual ACLs
The G8000 supports up to 512 ACLs. Each ACL defines one filter rule for
matching traffic criteria. Each filter rule can also include an action (permit or deny
the packet). For example:
• Access Control List Groups
An Access Control List Group (ACL Group) is a collection of ACLs. For example:
ACL Groups organize ACLs into traffic profiles that can be more easily assigned
to ports. The G8000 supports up to 512 ACL Groups.
Note: ACL Groups are used for convenience in assigning multiple ACLs to ports.
ACL Groups have no effect on the order in which ACLs are applied (see
“ACL Order of Precedence” on page 82). All ACLs assigned to the port
(whether individually assigned or part of an ACL Group) are considered as
individual ACLs for the purposes of determining their order of precedence.
ACL 1:
VLAN = 1
SIP = 10.10.10.1 (255.255.255.0)
Action = permit
ACL Group 1
ACL 1:
VLAN = 1
SIP = 10.10.10.1 (255.255.255.0)
Action = permit
ACL 2:
VLAN = 2
SIP = 10.10.10.2 (255.255.255.0)
Action = deny
ACL 3:
Priority = 7
DIP = 10.10.10.3 (255.255.255.0)
Action = permit
To Next Page
Loading...
Need help?
General
