Chapter 51 acl configuration, 1 introduction to acl, 1 access-list – PLANET XGS3-24042 User Manual
Page 492: 2 access-group, 3 access-list action and global default action, Chapter 51 acl configuration -1, Ntroduction to, Acl -1, 1 access-list -1, 2 access-group -1

51-1
Chapter 51 ACL Configuration
51.1 Introduction to ACL
ACL (Access Control List) is an IP packet filtering mechanism employed in switches, providing network traffic
control by granting or denying access the switches, effectively safeguarding the security of networks. The
user can lay down a set of rules according to some information specific to packets, each rule describes the
action for a packet with certain information matched: “permit” or “deny”. The user can apply such rules to the
incoming direction of switch ports, so that data streams in the incoming direction of specified ports must
comply with the ACL rules assigned.
51.1.1 Access-list
Access-list is a sequential collection of conditions that corresponds to a specific rule. Each rule consist of filter
information and the action when the rule is matched. Information included in a rule is the effective combination
of conditions such as source IP, destination IP, IP protocol number and TCP port, UDP port. Access-lists can
be categorized by the following criteria:
Filter information based criterion: IP access-list (layer 3 or higher information), MAC access-list
(layer 2 information), and MAC-IP access-list (layer 2 or layer 3 or higher).
Configuration complexity based criterion: standard and extended, the extended mode allows more
specific filtering of information.
Nomenclature based criterion: numbered and named.
Description of an ACL should cover the above three aspects.
51.1.2 Access-group
When a set of access-lists are created, they can be applied to traffic of incoming direction on all ports.
Access-group is the description to the binding of an access-list to the incoming direction on a specific port.
When an access-group is created, all packets from in the incoming direction through the port will be compared
to the access-list rule to decide whether to permit or deny access.
The current firmware only supports ingress ACL configuration.
51.1.3 Access-list Action and Global Default Action
There are two access-list actions and default actions: “permit” or “deny”. The following rules apply:
An access-list can consist of several rules. Filtering of packets compares packet conditions to the rules,
from the first rule to the first matched rule; the rest of the rules will not be processed. Global default
action applies only to IP packets in the incoming direction on the ports.
Global default action applies only when packet flirter is enabled on a port and no ACL is bound to that
port, or no binding ACL matches.
