beautypg.com

Access control list (acl) overview – Allied Telesis AT-S62 User Manual

Page 252

background image

Chapter 14: Access Control Lists

252

Section II: Advanced Operations

Access Control List (ACL) Overview

An ACL is a filter that controls the ingress packets on a port. You can use
this feature to control which ingress packets a port will accept and which it
will reject. Packets are filtered based on the criteria defined in the
classifiers assigned to an ACL.

There are several benefits of this feature. One is that it can add to your
network security. You can create ACLs to protect parts of a network from
unauthorized access by allowing only permitted traffic to enter the ports of
a switch.

You can also use ACLs to enhance network performance by creating data
links dedicated to carrying specific types of traffic. This provides the
permitted traffic a higher priority by virtue of having its own dedicated
network path.

This feature can also be used to achieve load-balancing by creating
dedicated links for different types or categories of traffic. This too can
result in enhanced network performance by distributing different types of
network traffic across multiple physical links.

Note

This feature is not related to the management ACL feature,
described in Chapter 35, “Management Access Control List” on
page 759. They perform different functions and are configured in
different ways.

The heart of an ACL is a classifier. A classifier, as explained “Classifier
Overview” on page 234, defines packets that share a common trait.
Packets that share a trait are referred to as a traffic flow. A traffic flow can
be very broad, such as all IP packets, or very specific, such as packets
from a specific end node destined for another specific node. You specify
the traffic using different criteria, such as source and destination MAC
addresses or protocol.

When you create an ACL, you are asked to specify the classifier that
defines the traffic flow you want to permit or deny on a port.

There are two kinds of ACLs based on the two actions that an ACL can
perform. One is called a permit ACL. Packets that meet the criteria in a
permit ACL are accepted by a port.

The second type of ACL is a deny ACL. This type of ACL will deny entry to
packets that meet the criteria of its classifiers, unless the packet also
meets the criteria of a permit ACL on the same port, in which case the
packet is accepted. This is because a permit ACL overrides a deny ACL.

See also other documents in the category Allied Telesis Computer hardware: