beautypg.com

Access control list (acl) overview – Allied Telesis AT-S62 User Manual

Page 238

background image

Chapter 15: Access Control Lists

Section II: Advanced Operations

238

Access Control List (ACL) Overview

An ACL is a filter that controls the ingress packets on a port. You can use
this feature to control which ingress packets a port will accept and which
it will reject. Packets are filtered based on the criteria defined in the
classifiers assigned to an ACL.

There are several benefits of this feature. One is that it can add to your
network security. You can create ACLs to protect parts of a network from
unauthorized access by allowing only permitted traffic to enter the ports
of a switch.

You can also use ACLs to enhance network performance by creating
data links dedicated to carrying specific types of traffic. This provides the
permitted traffic a higher priority by virtue of having its own dedicated
network path.

This feature can also be used to achieve load-balancing by creating
dedicated links for different types or categories of traffic. This too can
result in enhanced network performance by distributing different types
of network traffic across multiple physical links.

Note

This feature is not related to the management ACL feature,
described in Chapter 36, Management Access Control List on page
707. They perform different functions and are configured in
different ways.

The heart of an ACL is a classifier. A classifier, as explained Classifier
Overview on page 220, defines packets that share a common trait.
Packets that share a trait are referred to as a traffic flow. A traffic flow can
be very broad, such as all IP packets, or very specific, such as packets
from a specific end node destined for another specific node. You specify
the traffic using different criteria, such as source and destination MAC
addresses or protocol.

When you create an ACL, you are asked to specify the classifier that
defines the traffic flow you want to permit or deny on a port.

There are two kinds of ACLs based on the two actions that an ACL can
perform. One is called a permit ACL. Packets that meet the criteria in a
permit ACL are accepted by a port.

The second type of ACL is a deny ACL. This type of ACL will deny entry to
packets that meet the criteria of its classifiers, unless the packet also
meets the criteria of a permit ACL on the same port, in which case the
packet is accepted. This is because a permit ACL overrides a deny ACL.

See also other documents in the category Allied Telesis Computer hardware: