Standard Acl; Expanded Acl Technology - Zte ZXR10 5900 Product Description

3.18.1

Standard ACL

Standard ACL only filters L3 IP source addresses. In practice, most ACLs only perform
filtering based on IP source addresses, so that by putting such ACL put into the same
category, it can allow network administrators to manage the network easily. For example,
the network administrator only allows users in Vlan5, and a couple of managers on other
network segments to access the Internet. Other users are not allowed to access the
resources outside the enterprise network. One standard ACL can be created on the
Router, with the following three rules added:
Rule 1 permit 10.1.5.0
Rule 2 permit 10.1.6.66 0.0.0.0
Rule 3 deny any
With this ACL bonded to the Vlan3 interface of the Router, only all employees of the
marketing department and the managers of the R&D department (IP address: 10.1.6.66)
will be able to access the Internet.
If a department does not have too many employees, the network administrator can
flexibly enable the access to the Internet for a certain employee. Sometimes, the
network administrator wants to prohibit R&D personnel from accessing the Internet
during the working hours, but allow them to access the Internet during non-working
hours. In this case, a time-based ACL can be created. First, create one of the following
time ranges on the Router:
Time-range rd-internet 18:00-8:30, 12:00-14:00
Then, modify the above rules:
Rule 1 permit 10.1.5.0
Rule 2 permit 10.1.6.66 0.0.0.0
Rule 3 permit 10.1.6.0
Rule 4 deny any
With this ACL bonded to the Vlan3 interface of the Router, all the employees of the
marketing department and the managers of the R&D department (IP address: 10.1.6.66)
will be able to access the Internet at any time, but other employees of the R&D
Department can only access the Internet during non-working hours.
The limitation of the standard ACL is that it can only filter source IP addresses. If the
network administrator wants to prohibit the employees from accessing Internet resource
of particular websites and particular TCP ports, the standard ACL cannot achieve this
purpose and the another type of ACL must be used.
3.18.2

Expanded ACL Technology

The expanded ACL performs filtering based on the header fields of IP, TCP, UDP, and
ICMP. The fields of IP header include source IP address, destination IP address,
protocol number, ToS, Precedence, DSCP, and Fragmentation. The fields of TCP header
ZTE Confidential Proprietary
0.0.0.255
0.0.0.255
0.0.0.255 time-range rd-internet
© 2010ZTE Corporation. All rights reserved.
ZXR10 5900 5200 Product Description
25