Table of Contents
Advertisement
Command Reference Guide
H
ACL
ARDWARE
Hardware access control lists (ACLs) are access lists that function by comparing incoming frames to
specific criteria at the hardware level. These hardware ACLs function in the same way typical IP ACLs do
at the software level. The difference is that hardware ACLs filter incoming traffic through the switch chip
at wire speeds, rather than through software packet filtering processes.
It is beneficial to understand the basic functioning of ACLs in AOS before working with hardware ACLs.
All ACLs, whether hardware or software, by themselves do not perform any action. Rather, they are lists of
criteria to which all incoming frames are compared. These lists provide the methods for many of the
configurable filtering and security features of AOS to logically inspect each frame, compare it to the
criteria in the ACL, and behave accordingly.
ACLs list criteria for incoming frames that begin with either the keyword permit or deny. Permit
indicates that frames matching the specific criteria are selected and handled according to the configuration
of the AOS feature using the ACL. Deny indicates that frames matching the specific criteria are not
selected and are handled accordingly. Each ACL's criteria are compared to the frame in the order in which
it was entered. This means that the order of criteria for permitting or denying frames is one to one with the
order in which the criteria were entered into the ACL's configuration. As frames come into the unit, they
are compared to the ACL criteria from top-to-bottom. If a frame does not match the criteria specified by
the first entry, then it is compared to the criteria in the next entry. When the frame is found to match an
entry's specified criteria, then the frame is either categorized as permit or deny and the comparison of the
ACL entries abruptly stops. At this point, the feature using the ACL takes the appropriate action.
There are many uses for ACLs, and many ways to configure ACLs. If you would like more information
about ACL basic configuration and uses in AOS, refer to the configuration guide Hardware ACLs in AOS
available online at
https://supportforums.adtran.com
configuring ACLs are also included in this guide in the section
page
3126.
Hardware ACLs and Hardware Access Maps
Hardware ACLs can filter frames based either on IP information or on medium access control (MAC)
address information. IP hardware ACLs support filtering traffic on source and destination IP addresses,
Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), and TCP or UDP port numbers.
MAC hardware ACLs filter traffic based on source and destination MAC addresses. All hardware ACLs
filter only the incoming traffic, comparing the traffic to the list of criteria cited in the ACL.
As with all ACLs, the hardware ACL by itself performs no action. In order for the hardware ACL to
function, a hardware access map must be created and applied to a virtual local area network (VLAN)
interface. Access maps are the feature that uses the ACL and performs the action on the incoming traffic.
Each access map can either forward or discard incoming frames acting on a single IP hardware ACL, a
single MAC hardware ACL, or both. When both an IP and MAC hardware ACL are used by the access
map, the two ACLs are linked by and logic. And logic indicates to the access map that both ACLs must
conclude that the frame be forwarded for the access map to forward it. As with all other ACLs, the
information entered into the hardware ACLs is order dependent. The order in which criteria is listed in the
ACL configuration is the order in which the frames will be compared to the criteria.
60000CRG0-35E
A
M
AND
CCESS
Copyright © 2012 ADTRAN, Inc.
Hardware ACL and Access Map Command Set
C
AP
OMMAND
(article number 3088). Specific commands for
IPv4 Access Control List Command Set on
S
ET
3109
- Quick Links:
- Basic Mode Command Set
Hide quick links:
Advertisement
Table of Contents
