Chapter 12
| Security Measures
Access Control Lists
Access Control Lists
Figure 185: Showing the SSH User's Public Key
Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on
address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames
(based on address, DSCP traffic class, next header type, or any frames (based on
MAC address or Ethernet type). To filter incoming packets, first create an access list,
add the required rules, and then bind the list to a specific port.
Configuring Access Control Lists –
An ACL is a sequential list of permit or deny conditions that apply to IP addresses,
MAC addresses, or other more specific criteria. This switch tests ingress packets
against the conditions in an ACL one by one. A packet will be accepted as soon as it
matches a permit rule, or dropped as soon as it matches a deny rule. If no rules
match, the packet is accepted.
Command Usage
The following restrictions apply to ACLs:
◆
The maximum number of ACL rules per system is 384 rules.
◆
An ACL can have up to 64 rules for IPv4 ACLs, IPv6 ACLs, and ARP ACLs, and up
to 45 for MAC ACLs. However, due to resource restrictions, the average number
of rules bound to the ports should not exceed 20.
◆
The maximum number of rules (Access Control Entries, or ACEs) stated above is
the worst case scenario. In practice, the switch compresses the ACEs in TCAM (a
hardware table used to store ACEs), but the actual maximum number of ACEs
possible depends on too many factors to be precisely determined. It depends
on the amount of hardware resources reserved at runtime for this purpose.
– 290 –