beautypg.com

Acl rules, Acl source and destination addresses, Acl reverse masking – Allied Telesis AlliedWare Plus Operating System Version 5.4.4C (x310-26FT,x310-26FP,x310-50FT,x310-50FP) User Manual

Page 827

background image

Access Control Lists Introduction

Software Reference for x310 Series Switches

C613-50046-01 REV A

AlliedWare Plus

TM

Operating System - Version 5.4.4C

33.3

ACL Rules

The source or destination address or the protocol of each packet being filtered are
tested against the filters in the ACL, one condition at a time (for a permit or a deny
filter).

If a packet does not match a filter then the packet is checked against the next filter in
the ACL.

If a packet and a filter match, the subsequent filters in the ACL are not checked and
the packet is permitted or denied as specified in the matched filter.

The first filter that the packet matches determines whether the packet is permitted or
denied. After the first match, no subsequent filters are considered.

If the ACL denies the address or protocol then the software discards the packet.

For software ACLs, if no filters match then the packet is dropped.

For hardware ACLs, if no filters match then the packet is forwarded.

Checking stops after the first match, so the order of the filters in the ACL is critical. The
same permit or deny filter specified in a different order could result in a packet being
passed in one situation and denied in another situation.

One ACL per interface, per protocol, per direction is allowed. However, each ACL
assigned per interface, per protocol, per direction may also have multiple filters.

For inbound ACLs, a permit filter continues to process the packet after receiving it on
an inbound interface, and a deny filter discards the packet.

ACL Source and Destination Addresses

Configure source addresses in ACL filters to filter packets coming from specified
networking devices or hosts. Configure destination addresses in ACL filters to filter
packets going to specified networking devices or hosts.

ACL Reverse Masking

ACLs uses reverse masking, also referred to as wildcard masking, to indicate to the switch
whether to check or ignore corresponding IP address bits when comparing the address
bits in an ACL filter to a packet being submitted to the ACL.

Reverse masking for IP address bits specify how the switch treats the corresponding IP
address bits. A reverse mask is also called an inverted mask because a 1 and 0 mean the
opposite of what they mean in a subnet or a network mask.

A reverse mask bit 0 means check the corresponding bit value.

A reverse mask bit 1 means ignore the corresponding bit value.

See also other documents in the category Allied Telesis Computer hardware: