Switch Security
6-19
6.5 ACL Configuration
An Access Control List (ACL) is a sequential collection of permit and deny conditions that apply to switch data
packets. When a packet is received on an interface, the switch compares the fields in the packet against any
applied ACLs to verify the packet has the required permissions to be forwarded, based on the criteria specified
in the access lists.
Use the ACL screen to view, add and configure access control configurations. Typically, an ACL consists of
series of entries called an Access Control Entry (ACE). Each ACE defines the access rights for a user in
relationship to the switch. When access is attempted, the operating system uses the ACL to determine
whether the user has switch access permissions. The ACL screen displays four tabs supporting the following
ACL configuration activities:
• Configuring an ACL
• Attaching an ACL L2/L3 Configuration
• Attaching an ACL on a WLAN Interface/Port
• Reviewing ACL Statistics
6.5.1 ACL Overview
An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies an action and a set of
conditions that a packet must satisfy in order to match the ACE. The order of conditions in the list is critical
because the switch stops testing conditions after the first match.
The switch supports the following ACLs to filter traffic:
• Router ACLs— Applied to VLAN (Layer 3) interfaces. These ACLs filter traffic based on Layer 3
parameters like source IP, destination IP, protocol types and port numbers. They are applied on packets
routed through the switch. Router ACLs can be applied to inbound traffic only, not both directions.
• Port ACLs— Applied to traffic entering a Layer 2 interface. Only switched packets are subjected to these
kind of ACLs. Traffic filtering is based on Layer 2 parameters like–source MAC, destination MAC,
Ethertype, VLAN-ID, 802.1p bits (OR) Layer 3 parameters like– source IP, destination IP, protocol, port
number.
• Wireless LAN ACLs - A Wireless LAN ACL is designed to filter/mark packets based on the wireless LAN
from which they arrived rather than filtering the packets arrived on L2 ports. This type of ACL supports
data in the outbound direction.
NOTE If a packet does not meet any of the criteria specified in the ACL, then the packet
is dropped.
NOTE For an overview of how the switch uses an ACL to filter permissions to the switch
managed network, go to ACL Overview on page 6-19.
NOTE ACLs can be applied only in an inbound direction. Only WLAN ACLs support
applying ACLs in the outbound direction for both Layer 2 and Layer 3 interfaces.
To Next Page
Loading...
Need help?
General
