Access control lists (acls), Overview, Limitations – D-Link UNIFIED WIRED & WIRELESS ACCESS SYSTEM DWS-3000 User Manual

Overview

95

16

Access Control Lists (ACLs)

This section describes the Access Control Lists (ACLs) feature.

Overview

Access Control Lists (ACLs) are a collection of permit and deny conditions, called rules, that
provide security by blocking unauthorized users and allowing authorized users to access
specific resources. Normally ACLs reside in a firewall router or in a router connecting two
internal networks.

ACL Logging provides a means for counting the number of “hits” against an ACL rule. When
you configure ACL Logging, you augment the ACL deny rule specification with a ‘log’
parameter that enables hardware hit count collection and reporting. The D-Link DWS-3000
switch uses a fixed five minute logging interval, at which time trap log entries are written for
each ACL logging rule that accumulated a non-zero hit count during that interval. You cannot
configure the logging interval.

You can set up ACLs to control traffic at Layer 2, Layer 3, or Layer 4. MAC ACLs operate on
Layer 2. IP ACLs operate on Layers 3 and 4.

Limitations

The following limitations apply to ACLs.

•

Maximum of 100 ACLs.

•

Maximum rules per ACL is 10.

•

The system supports ACLs set up for inbound traffic only.

•

The system does not support MAC ACLs and IP ACLs on the same interface.

•

It may not be possible to log every ACL rule due to limited hardware counter resources.
You can define an ACL with any number of logging rules, but the number of rules that are
actually logged cannot be determined until the ACL is applied to an interface. Further-
more, hardware counters that become available after an ACL is applied are not retroac-
tively assigned to rules that were unable to be logged (the ACL must be un-applied then
re-applied). Rules that are unable to be logged are still active in the ACL for purposes of
permitting or denying a matching packet.