Defining Access Control Lists; Configuring Access Control Lists - Alcatel OS-LS-6224 User Manual
User guide
Hide thumbs
Also See for OS-LS-6224:
- Getting started manual (60 pages) ,
- User manual (762 pages) ,
- Getting started manual (52 pages)
Table of Contents
Advertisement
Defining Access Control Lists
Access Control Lists (ACL) provide packet filtering for IP frames and MAC
addresses. Packets entering an ingress port, with an active ACL, are either admitted
or denied entry and the ingress port is disabled. If they are denied entry, the user
can disable the port. To filter incoming packets, first create an access list, add the
required rules, specify a priority to modify the precedence in which the rules are
checked, and then bind the list to a specific port.
For example, an ACL rule is defined that states, port number 20 can receive TCP
packets, however, if a UDP packet is received, the packet is dropped. ACLs are
composed of access control entries (ACEs) that are made of the filters that
determine traffic classifications. The total number of ACEs that can be defined in all
ACLs together is 894.
Configuring Access Control Lists
An ACL is a sequential list of permit or deny conditions that apply to IP addresses,
MAC addresses, or other more specific criteria. This switch tests ingress or egress
packets against the conditions in an ACL one by one. A packet will be accepted as
soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If no
rules match for a list of all permit rules, the packet is dropped; and if no rules match
for a list of all deny rules, the packet is accepted. The following filters can be defined
as ACEs:
• Source Port IP Address and Wildcard Mask — Filters the packets by the Source
port IP address and wildcard mask.
• Destination Port IP Address and Wildcard Mask — Filters the packets by the
Source port IP address and wildcard mask.
• ACE Priority — Filters the packets by the ACE priority.
• Protocol — Filters the packets by the IP protocol.
• DSCP — Filters the packets by the DiffServ Code Point (DSCP) value.
• IP Precedence — Filters the packets by the IP Precedence.
• Action — Indicates the action assigned to the packet matching the ACL. Packets
are forwarded or dropped. In addition, the port can be shut down, a trap can be sent
to the network administrator, or packet is assigned rate limiting restrictions for
forwarding.
When configuring ACLs, ensure the following:
• Each ACL can have up to 256 Access Control Elements (ACE rules).
• The maximum number of ACLs is 894 per port.
• You must configure a mask for an ACL rule before you can bind it to a port or set
the queue or frame priorities associated with the rule.
• When an ACL is bound to an interface as an egress filter, all entries in the ACL
must be deny rules. Otherwise, the bind operation will fail.
Defining Access Control Lists
3
165
- Quick Links:
- Chapter 2: Initial Configuration
Hide quick links:
Advertisement
Table of Contents
