Chapter 13 - Access Control List - Linksys LGS308 User Manual

Chapter 13 - Access Control List

The Access Control List (ACL) feature is part of the security mechanism. ACLs enable network
managers to define patterns (filter and actions) for ingress traffic. Packets, entering the device on
a port or LAG with an active ACL, are either admitted or denied entry.
An Access Control List (ACL) is an ordered list of classification filters and actions. Each single
classification rule, together with its action, is called an Access Control Element (ACE).
Each ACE is made up of filters that distinguish traffic groups and associated actions. A single
ACL may contain one or more ACEs, which are matched against the contents of incoming frames.
Either a DENY or PERMIT action is applied to frames whose contents match the filter.
The device supports a maximum of 256 ACLs, and a maximum of 256 ACEs.
When a packet matches an ACE filter, the ACE action is taken and that ACL processing is
stopped. If the packet does not match the ACE filter, the next ACE is processed. If all ACEs of an
ACL have been processed without finding a match, and if another ACL exists, it is processed in a
similar manner.
Note—If no match is found to any ACE in all relevant ACLs, the packet is dropped (as a default
action). Because of this default drop action you must explicitly add ACEs into the ACL to permit
the desired traffic, including management traffic, such as Telnet, HTTP or SNMP that is directed
to the device itself. For example, if you do not want to discard all the packets that do not match
the conditions in an ACL, you must explicitly add a lowest priority ACE into the ACL that permits
all the traffic.
If IGMP snooping is enabled on a port bound with an ACL, add ACE filters in the ACL to forward
IGMP/MLD packets to the device; otherwise, IGMP snooping fails at the port.
The order of the ACEs within the ACL is significant, since they are applied in a first-fit manner.
The ACEs are processed sequentially, starting with the first ACE.
ACLs can be used for security, for example by permitting or denying certain traffic flows.
There can only be one ACL per port.
To associate more than one ACL with a port, a policy with one or more class maps must be used.
The following types of ACLs can be defined (depending on which part of the frame header is
examined):
• MAC ACL—Examines Layer 2 fields only, as described in Defining MAC-based ACLs.
IP ACL—Examines the Layer 3 layer of IP frames, as described in IPv4/IPv6-Based ACLs.
•
If a frame matches the filter in an ACL, it is defined as a flow with the name of that ACL.
Creating ACLs Workflow
To create ACLs and associate them with an interface:
1. Create one or more of the following types of ACLs:
169