Introduction To Acl Resource Bank - UTStarcom iSpirit 3026 Manual

11.1 Introduction to ACL resource bank

ACL (Access list control) resource bank is integration with multi-visit regulations, ACL resource
bank does not equipped with forwarding function to control data, but only an regulated
integration with conflicted command. After ACL resource bank is applied it can control the
forwarding of data packet of switch: control the data packet through regulated "deny" and
"permit". ACL can be applied to filtrate port visit, service visit and QOS.
ACL resource bank has the standard IP regulation group (No.1-199), extend IP regulation group
(No. 200-399), extend MAC regulation group (No. 400-599), totally 599 groups, every group
regulation supports 128 regulations. Every regulation automatically carries out conflication
regulation command in priority.
Switch will make comparison for all fields in all regulations and data packets when one data
packet passes through one port: the last matched regulation is valid when there are many
regulations are completely matched; the last matched regulation decides that if the data packet
can be forwarded or deleted. Complete match is that field value in regulation should be totally
equal to that in data packet. The regulation can be decided to be denied or permitted only this
regulation of ACL will be totally matched.
For iSpirit 3026, regulations in the same group are automatically arranged, which is much
complex. Regulation with large range will be arranged in the very front, but that with small range
will be arranged in the last. Size of range will be determined by restrictions of the regulation: the
range will be larger with little restrictions, otherwise the range will be samller. Restriction is
mainly shown in the "wildcard" of the address and numbers of non-address field. Wildcard is the
bit series. IP address is 4-byte, MAC address is 6-byte. Bits being "1" indicates that it needs not
to be matched, bits being "0" indicates that it needs to be matched. Non-address field indicates
the "vlanId", protocol type, IP protocol type, and protocol port, in which a "wildcard" is hidden.
Their length is the byte length of relative fields, so the length of the same field is the same, and
you need only make account about fields. The more bits being "0" of wildcard there are the more
restrictions there are.
The follows to cite the port visit filtration as an example to show that the necessary regulated
command and the advantages of auto command. Suppose that user needs to refuse the source
address as 192.168.0.0/ 16 to be forwarded, but allow that source address as 192.168.1.0/24 to
be forwarded, the following two regulations can be configured: