beautypg.com

Parts of an acl, Guidelines, Parts of an acl guidelines – Allied Telesis AT-S62 User Manual

Page 239

background image

AT-S62 Menus Interface User’s Guide

Section II: Advanced Operations

239

Here is an overview of how the process works.

1. When an ingress packet arrives on a port, the switch checks it against

the criteria in the classifiers of all the ACLs, both permit and deny,
assigned to that port.

2. If the packet matches the criteria of a permit ACL, the port

immediately accepts it. Because a permit ACL overrides a deny ACL,
the packet is accepted even if it matches a deny ACL assigned to the
same port.

3. If a packet meets the criteria of a deny ACL but not any permit ACLs

on the port, then the packet is discarded.

4. Finally, if a packet does not meet the criteria of any ACLs on a port, it

is accepted by the port.

Parts of an ACL

To create an ACL, you must provide the following information:

❑ Name - An ACL needs a name. The name should reflect the type of

traffic flow the ACL will be filtering and, perhaps, also the action.
An example might be “HTTPS flow - permit.” The more specific the
name, the easier it will be for you to identify the different ACLs.

❑ Action - An ACL can have one of two actions: permit or deny. An

action of permit means that the ingress packets matching the
criteria in the classifiers are to be accepted by the switch port. An
action of deny means any ingress packets matching the criteria
are to be discarded, unless the packets match a permit ACL on the
port, in which case the packets are accepted.

❑ Classifiers - An ACL needs one or more classifiers to define the

traffic flow whose packets you want the port to accept or reject.
Each classifier defines a different traffic flow. An ACL can have
more than one classifier to filter multiple traffic flows.

❑ Port Lists - Finally, you need to specify the ports to which an ACL

is to be assigned.

Guidelines

Here are rules to observe when it comes to using ACLs:

❑ A port can have multiple permit and deny ACLs.

❑ An ACL must have at least one classifier.

❑ An ACL can be assigned to more than one switch port.

❑ An ACL filters ingress traffic, but not egress traffic.

❑ The action of a ACL can be either permit or deny. A permit ACL

overrides a deny ACL on the same port.

See also other documents in the category Allied Telesis Computer hardware: