Chapter7
ACLConfiguration
TableofContents
ACLOverview...................................................................59
ConguringACL................................................................60
ACLCongurationExample.................................................66
ACLMaintenanceandDiagnosis...........................................68
ACLOverview
Packetlteringcanhelplimitnetworktrafcandrestrictnetwork
usebycertainusersordevices.ACL’scanltertrafcasitpasses
througharouterandpermitordenypacketsatspeciedinter-
faces.
AnACLisasequentialcollectionofpermitanddenyconditions
thatapplytopackets.Whenapacketisreceivedonaninterface,
theswitchcomparestheeldsinthepacketagainstanyapplied
ACL’stoverifythatthepackethastherequiredpermissionstobe
forwarded,basedonthecriteriaspeciedintheaccesslists.It
testspacketsagainsttheconditionsinanaccesslistonebyone.
Therstmatchdetermineswhethertheswitchacceptsorrejects
thepacketsbecausetheswitchstopstestingconditionsafterthe
rstmatch.Theorderofconditionsinthelistiscritical.Ifno
conditionsmatch,theswitchrejectsthepackets.Ifthereareno
restrictions,theswitchforwardsthepacket;otherwise,theswitch
dropsthepacket.
PacketmatchingrulesdenedbytheACLarealsousedinother
conditionswheredistinguishingtrafcisneeded.Forinstance,the
matchingrulescandenethetrafcclassicationruleintheQoS.
ZXR105900/5200providesthefollowingsixtypesofACLs:
�StandardACL:OnlymatchthesourceIPaddress.
�ExtendedACL:Matchthefollowingitems:SourceIPaddress,
destinationIPaddress,IPprotocoltype,TCPsourceportnum-
ber ,TCPdestinationportnumber ,UDPsourceportnumber ,
UDPdestinationportnumber ,ICMPtype,ICMPCode,DiffServ
CodePoint(DSCP),ToSandPrecedence.
�L2ACL:MatchsourceMACaddress,destinationMACaddress,
sourceVLANID,L2Ethernetprotocoltypeand802.1ppriority
value.
�HybridACL:MatchsourceMACaddress,destinationMACad-
dress,sourceVLANID,sourceIPaddress,destinationIPad-
CondentialandProprietaryInformationofZTECORPORATION59
To Next Page
Loading...
