beautypg.com

1 introduction to acl, Chapter 12 acl configuration, 1 access list – Accton Technology ES4710BD User Manual

Page 267: 2 access-group, 3 access list action and global default action

background image

266

E

ES4710BD 10 Slots L2/L3/L4 Chassis Switch

Chapter 12 ACL Configuration

12.1 Introduction to ACL

ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing

network traffic control by granting or denying access through the switches, effectively safeguarding

the security of networks. The user can lay down a set of rules according to some information

specific to packets, each rule describes the action for a packet with certain information matched:

“permit” or “deny”. The user can apply such rules to the incoming or outgoing direction of switch

ports, so that data streams in the specific direction of specified ports must comply with the ACL

rules assigned.

12.1.1 Access list

Access list is a sequential collection of conditions that corresponds to a specific rule. Each rule

consists of filter information and the action when the rule is matched. Information included in a rule

is the effective combination of conditions such as source IP, destination IP, IP protocol number and

TCP port. Access lists can be categorized by the following criteria:

z

Filter information based criterion: IP access list (layer 3 or higher information), MAC

access list (layer 2 information), and MAC-IP access list (layer 2 or higher). The current

implementation supports IP access list only, the other two functions will be provided later.

z

Configuration complexity based criterion: standard and extended, the extended mode

allows more specific filtering of information.

z

Nomenclature based criterion: numbered and named.

Description of an ACL should cover the above three aspects.

12.1.2 Access-group

When a set of access lists are created, they can be applied to traffic of any direction on all ports.

Access-group is the description to a the binding of an access list to the specified direction on a

specific port. When an access-group is created, all packets from in the specified direction through

the port will be compared to the access list rule to decide whether to permit or deny access.

12.1.3 Access list Action and Global Default Action

There are two access list actions and default actions: “permit” or “deny”

See also other documents in the category Accton Technology Computer Accessories: