Motorola RFS Series Reference Manual page 335

6.5.1.2 Port ACLs
The switch supports Port ACLs on physical interfaces and inbound traffic only. The following Port ACLs are
supported:
• Standard IP ACL— Uses a source IP address as matching criteria.
• Extended IP ACL— Uses a source IP address, destination IP address and IP protocol type as basic
matching criteria. It can also include other parameters specific to a protocol type, like the source and
destination ports for TCP/UDP protocols.
• MAC Extended ACL— Uses source and destination MAC addresses and VLAN ID. It optionally, also uses
Ethertype information.
Port ACLs are not stateful as compared to Router ACLs. It matches every packet against the configured ACL
rules and takes action as appropriate. When a Port ACL is applied to a trunk port, the ACL filters traffic on
all VLANs present on the trunk port. With Port ACLs, you can filter:
• IP traffic by using IP ACL
• Non-IP traffic by using MAC addresses.
Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC
ACL to the interface.
You cannot apply more than one IP ACL and one MAC ACL to a Layer 2 interface. If an IP ACL or MAC ACL is
already configured on a Layer 2 interface and a new IP ACL or MAC ACL is applied to the interface, the new
ACL replaces the previously configured one.
6.5.1.3 Wireless LAN ACLs
Wireless LAN ACLs filter/mark packets based on the wireless LAN from which they arrive rather than
filtering packets on Layer 2 ports.
In general, a Wireless-LAN ACL can be used to filter wireless to wireless, wireless to wired and wired to
wireless traffic. Typical wired to wired traffic can be filtered using a Layer 2 port based ACL rather than a
WLAN ACL.
Each WLAN is assumed to be a virtual Layer 2 port. Configure one IP and one MAC ACL on the virtual WLAN
port. In contrast to Layer 2 ACLs, a WLAN ACL can be enforced on both the Inbound and Outbound direction.
6.5.1.4 ACL Actions
Every ACE within an ACL is made up of an action and matching criteria. The action defines what to do with
the packet if it matches the specified criteria. The following actions are supported:
• deny— Instructs the ACL not to allow a packet to proceed to its destination.
• permit—Instructs the ACL to allows a packet to proceed to its destination.
• mark—Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with
an implicit permit.
• VLAN 802.1p priority.
• TOS/DSCP bits in the IP header.
NOTE: A Permit All ACL is not supported when using NTP. If a Permit All ACL is used with
NTP, the client will not be able to synchronize with the NTP server.
6-21
Switch Security