86
Table of Contents
Linksys
86
Table of Contents
Linksys
Chapter 13 Access Control List
The Access Control List (ACL) feature is part of the security mechanism.
ACLs enable network managers to define patterns (filter and actions) for
ingress traffic. Packets, entering the device on a port or LAG with an active
ACL, are either admitted or denied entry. ACL definitions can also be used to
define traffic flows in Quality of Service (QoS).
For more information see Advanced Quality of Service.This section covers the
following topics:
• Access Control Lists
• MAC-Based ACL
• MAC-Based ACE
• IPv4-Based ACLs
• IPv4-Based ACE
• IPv6-Based ACE
• IPv6-Based ACL
• ACL Binding
An Access Control List (ACL) is an ordered list of classification filters and
actions. Each single classification rule, together with its action, is called an
Access Control Element (ACE).
Each ACE is made up of filters that distinguish traffic groups and associated
actions. A single ACL may contain one or more ACEs, which are matched
against the contents of incoming frames. Either a DENY or PERMIT action is
applied to frames whose contents match the filter.
The device supports a maximum of 256 ACLs, and a maximum of 256 ACEs.
When a packet matches an ACE filter, the ACE action is taken and that ACL
processing is stopped. If the packet does not match the ACE filter, the next
ACE is processed. If all ACEs of an ACL have been processed without finding a
match, and if another ACL exists, it is processed in a similar manner.
NOTE:
If no match is found to any ACE in all relevant ACLs, the packet is dropped
(as a default action). Because of this default drop action you must explicitly
add ACEs into the ACL to permit the desired traffic, including management
traffic, such as Telnet, HTTP or SNMP that is directed to the device itself. For
example, if you do not want to discard all the packets that do not match the
conditions in an ACL, you must explicitly add a lowest priority ACE into the
ACL that permits all the traffic.
If IGMP snooping is enabled on a port bound with an ACL, add ACE filters
in the ACL to forward IGMP/MLD packets to the device; otherwise, IGMP
snooping fails at the port.
The order of the ACEs within the ACL is significant, since they are applied
in a first-fit manner. The ACEs are processed sequentially, starting with the
first ACE.
ACLs can be used for security, for example by permitting or denying
certain traffic flows, and also for traffic classification and prioritization in
the QoS Advanced mode.
NOTE:
A port can be either secured with ACLs or configured with advanced QoS
policy, but not both.
There can only be one ACL per port.
To associate more than one ACL with a port, a policy with one or more class
maps must be used.
The following types of ACLs can be defined (depending on which part of the
frame header is examined):
• MAC ACL—Examines Layer 2 fields only, as described in Defining MAC-
based ACLs
• IP ACL—Examines the Layer 3 layer of IP frames, as described in IPv4/IPv6-
Based ACLs
If a frame matches the filter in an ACL, it is defined as a flow with the name of
that ACL.
Creating ACLs Workflow
To create ACLs and associate them with an interface, perform the following:
To Next Page
Loading...
Need help?
General
