beautypg.com

Parts of an acl, Guidelines, Parts of an acl guidelines – Allied Telesis AT-S62 User Manual

Page 253

background image

AT-S62 Management Software Menus Interface User’s Guide

Section II: Advanced Operations

253

Here is an overview of how the process works.

1. When an ingress packet arrives on a port, the switch checks it against

the criteria in the classifiers of all the ACLs, both permit and deny,
assigned to that port.

2. If the packet matches the criteria of a permit ACL, the port immediately

accepts it. The packet is accepted even if it matches a deny ACL on
the same port because a permit ACL overrides a deny ACL.

3. If a packet meets the criteria of a deny ACL but not any permit ACLs

on the port, then the packet is discarded.

4. Finally, if a packet does not meet the criteria of any ACLs on a port, it is

accepted by the port.

Parts of an ACL

To create an ACL, you must provide the following information:

ˆ

Name - An ACL needs a name. The name should reflect the type of
traffic flow the ACL will be filtering and, perhaps, also the action. An
example might be “HTTPS flow - permit.” The more specific the name,
the easier it will be for you to identify the different ACLs.

ˆ

Action - An ACL can have one of two actions: permit or deny. An action
of permit means that the ingress packets matching the criteria in the
classifiers are to be accepted by the switch port. An action of deny
means any ingress packets matching the criteria are to be discarded,
unless the packets match a permit ACL on the port, in which case the
packets are accepted.

ˆ

Classifiers - An ACL needs one or more classifiers to define the traffic
flow whose packets you want the port to accept or reject. Each
classifier defines a different traffic flow. An ACL can have more than
one classifier to filter multiple traffic flows.

ˆ

Port Lists - You need to specify the ports to which an ACL is to be
assigned.

Guidelines

Here are rules for ACLs:

ˆ

A port can have multiple permit and deny ACLs.

ˆ

An ACL must have at least one classifier.

ˆ

An ACL can be assigned to more than one switch port.

ˆ

An ACL filters ingress traffic, but not egress traffic.

ˆ

The action of a ACL can be either permit or deny. A permit ACL
overrides a deny ACL on the same port.

ˆ

The order in which ACLs are assigned to a port is unimportant. An
ingress packet is compared against all of a port’s ACLs.

See also other documents in the category Allied Telesis Computer hardware: