© Copyright Lenovo 2017 Chapter 7: Access Control Lists 125
ACL Groups
ToassistinorganizingmultipleACLsandassigningthemtoports,youcanplace
ACLsintoACLGroups,therebydefiningcomplextrafficprofiles.ACLsandACL
Groupscanthenbeassignedonaper‐portbasis.AnyspecificACLcanbeassigned
tomultipleACLGroups,andanyACLorACL
Groupcanbeassignedtomultiple
ports.If,aspartofmultipleACLGroups,aspecificACLisassignedtoaport
multipletimes,onlyoneinstanceisused.Theredundantentriesareignored.
IndividualACLs
TheCN4093supportsupto256ACLs.EachACLdefinesonefilterrulefor
matchingtrafficcriteria.Eachfilterrulecanalsoincludeanaction(permitor
denythepacket).Forexample:
AccessControlListGroups
AnAccessControlListGroup(ACLGroup)isacollectionofACLs.For
example:
ACLGroupsorganizeACLsintotrafficprofilesthatcanbemoreeasilyassigned
toports.TheCN4093supports upto256ACLGroups.
Note: ACLGroupsareusedforconvenienceinassigningmultipleACLsto
ports.
ACLGroupshavenoeffectontheorderinwhichACLsareapplied(see“A C L
OrderofPrecedence”onpage 124).AllACLsassignedtotheport(whether
individuallyassignedorpartofanACLGroup)areconsideredasindividualACLs
forthepurposesofdeterminingtheirorderofprecedence.
Assigning ACL Groups to a Port
ToassignanACLGrouptoaport,usethefollowingcommands:
ACL1:
VLAN=1
SIP=10.10.10.1(2 55.255.255.0)
Action=permit
ACL Group 1
ACL1:
VLAN=1
SIP=10.10.10.1(2 55.255.255.0)
Action=permit
ACL2:
VLAN=2
SIP=10.10.10.2(2 55.255.255.0)
Action=deny
ACL3:
Priority=7
DIP=10.10.10.3(255.255.255.0)
Action=permit
CN 4093(config)# interface port <portnumber>
CN 4093(config-if)# access-control group <ACLgroupnumber>
CN 4093(config-if)# exit
To Next Page
Loading...
Need help?
General