How Access Control Lists Work; Access Mask Precedence Numbers; Specifying A Default Rule - Extreme Networks Summit Summit24 Installation And User Manual
Extreme summit summit24: user guide
Hide thumbs
Also See for Summit Summit24:
- Quick reference manual (24 pages) ,
- Hardware installation manual (394 pages) ,
- Hardware manual (352 pages)
Table of Contents
Advertisement
Access Policies
How Access Control Lists Work
When a packet arrives on an ingress port, the fields of the packet corresponding to an access mask are
compared with the values specified by the associated access lists to determine a match.
It is possible that a packet will match more than one access control list. If the resulting actions of all the
matches do not conflict, they will all be carried out. If there is a conflict, the actions of the access list
using the higher precedence access mask are applied. When a match is found, the packet is processed. If
the access list is of type deny, the packet is dropped. If the list is of type permit, the packet is
forwarded. A permit access list can also apply a QoS profile to the packet and modify the packet's
802.1p value and the DiffServe code point.
Access Mask Precedence Numbers
The access mask precedence number is optional, and determines the order in which each rule is
examined by the switch. Access control list entries are evaluated from highest precedence to lowest
precedence. Precedence numbers range from 1 to 25,600, with the number 1 having the highest precedence.
However, an access mask without a precedence specified has a higher precedence than any access mask
with a precedence specified. The first access mask defined without a specified precedence has the
highest precedence. Subsequent masks without a specified precedence have a lower precedence, and so
on.
Specifying a Default Rule
You can specify a default access control list to define the default access to the switch. You should use an
access mask with a low precedence for the default rule access control list. If no other access control list
entry is satisfied, the default rule is used to determine whether the packet is forwarded or dropped. If
no default rule is specified, the default behavior is to forward the packet.
NOTE
If your default rule denies traffic, you should not apply this rule to the Summit24e3 port used as a
management port.
The following example shows an access control list that is used to specify an default rule to explicitly
deny all traffic:
create access-mask ingress_mask ports precedence 25000
create acess-list DenyAll ingress_mask ports 2-26 deny
Once the default behavior of the access control list is established, you can create additional entries using
precedence numbers.
The following access control list example shows an access control list that will forward traffic from the
10.1.2.x subnet even while the above default rule is in place:
create access-mask ip_src_mask source-ip/24 precedence 1000
create access-list TenOneTwo ip_src_mask source-ip 10.1.2.0/24 permit
94
Summit24e3 Switch Installation and User Guide
Hide quick links:
Advertisement
Table of Contents
