Port Acls; Wireless Lan Acls; Acl Actions - Motorola RFS7000 Series System Reference Manual

6.5.1.2 Port ACLs

The switch supports Port ACLs on physical interfaces and inbound traffic only. The following Port ACLs are
supported:
• Standard IP ACL— Uses a source IP address as matching criteria.
• Extended IP ACL— Uses a source IP address, destination IP address and IP protocol type as basic
matching criteria. It can also include other parameters specific to a protocol type, like the source and
destination ports for TCP/UDP protocols.
• MAC Extended ACL— Uses source and destination MAC addresses and VLAN ID. It optionally, also uses
Ethertype information.
Port ACLs are not stateful as compared to Router ACLs. Hence, it matches every packet against the configured
ACL rules and takes action as defined by the ACL rules. When a Port ACL is applied to a trunk port, the ACL
filters traffic on all VLANs present on the trunk port. With Port ACLs, you can filter:
• IP traffic by using IP ACL
• Non-IP traffic by using MAC addresses.
Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC
ACL to the interface.
You cannot apply more than one IP ACL and one MAC ACL to a Layer 2 interface. If an IP ACL or MAC ACL is
already configured on a Layer 2 interface and a new IP ACL or MAC ACL is applied to the interface, the new
ACL replaces the previously configured one.

6.5.1.3 Wireless LAN ACLs

Wireless LAN ACLs filter/mark packets based on the wireless LAN from which they arrive rather than filtering
the packets arrived on L2 ports.
In general, a Wireless-LAN ACL can be used to filter wireless to wireless, wireless to wired and wired to
wireless traffic. Typical wired to wired traffic can be filtered using a L2 port based ACL rather than a WLAN
ACL.
Each WLAN is assumed to be a virtual L2 port. Configure one IP and one MAC ACL on the virtual WLAN port.
In contrast to L2 ACLs, a WLAN ACL can be enforced on both the Inbound and Outbound direction.

6.5.1.4 ACL Actions

Every ACE within an ACL is made up of an action and matching criteria. The action defines what to do with the
packet if it matches the specified criteria. The following actions are supported:
• deny— Instructs the ACL not to allow a packet to proceed to its destination.
• permit—Instructs the ACL to allows a packet to proceed to its destination.
• mark—Modifies certain fields inside the packet and then permits them. Therefore, mark is an action
with an implicit permit.
• VLAN 802.1p priority.
• TOS/DSCP bits in the IP header.
NOTE A Permit All ACL is not supported when using NTP. If a Permit All ACL is used with
NTP, the client will not be able to synchronize with the NTP server.
6-21
Switch Security