C
OMMAND
L
INE
I
NTERFACE
4-122
Access Control List Commands
Access Control Lists (ACL) provide packet filtering for IP frames (based
on address, protocol, or Layer 4 protocol port number) or any frames
(based on MAC address or Ethernet type). To filter packets, first create an
access list, add the required rules and then bind the list to a specific port.
Access Control Lists
An ACL is a sequential list of permit or deny conditions that apply to IP
addresses, MAC addresses, or other more specific criteria. This switch tests
ingress or egress packets against the conditions in an ACL one by one. A
packet will be accepted as soon as it matches a permit rule, or dropped as
soon as it matches a deny rule. If no rules match for a list of all permit
rules, the packet is dropped; and if no rules match for a list of all deny
rules, the packet is accepted.
There are three filtering modes:
• Standard IP ACL mode (STD-ACL) filters packets based on the source
IP address.
• Extended IP ACL mode (EXT-ACL) filters packets based on source
or destination IP address, as well as protocol type and protocol port
number.
The following restrictions apply to ACLs:
• Each ACL can have up to 100 rules.
• However, due to resource restrictions, the average number of rules
bound the ports should not exceed 20.
• This switch supports ACLs for ingress filtering only. You can only
bind one IP ACL to any port for ingress filtering. In other words, only
one ACL can be bound to an interface - Ingress IP ACL.
The order in which active ACLs are checked is as follows:
To Next Page
Loading...
Need help?
General
