Overview – Allied Telesis AT-S101 User Manual

Chapter 19: Access Control Policies

196

Overview

An access control policy is a filter that controls the ingress traffic on a port.
It defines a category of traffic and the action of the port when it receives
packets of the category. The action is either to accept the defined packets
or discard them. You can use this feature to increase network security by
restricting access to certain areas or subnets or to enhance switch
performance by forming network links dedicated to carrying specified
types of traffic.

The heart of an ACP is a classifier which, as explained in “Overview” on
page 186, defines packets that share a common trait. You can define a
classifiers broadly, such as all IP packets, or specifically, such as packets
from a specified end node destined for another specified node. You
specify the traffic using criteria, such as source and destination MAC
addresses or protocol.

When you create an ACP, you must specify the classifier that defines the
traffic flow to permit or deny on a port.

There are two kinds of ACPs based on the two actions that an ACP can
perform. One is called a permit ACP. Packets that meet the criteria in a
permit ACP are accepted by a port. These packets can be modified by the
policy in the DSCP (IP header) or CoS (Ethernet priority tag).

The second type of ACP is a deny ACP. This type of ACP denies entry to
packets that meet the criteria of its classifiers.

Here is an overview of how the process works.

1. When an ingress packet arrives on a port, it is checked against the

criteria in the classifiers of all the ACPs, both permit and deny,
assigned to the port.

2. If the numeric sequence of the ACP determines its priority. If a deny

ACP has a higher priority then a permit ACP, then the packet is
discarded.

3. If the numeric sequence of the permit ACP is less than the deny ACP,

then the packet is forwarded.

4. Finally, if a packet does not meet the criteria of any ACPs on a port, it

is accepted by the port.