L2 Acl - Zte ZXR10 5900 Product Description

ZXR10 5900 5200 Product Description
include source port, destination port and Established. The fields of the UDP header
include source port and destination port. The fields of the ICMP header include Type and
Code. The expanded ACL can meet more complicated requirements from the network
administrator and allows granular traffic classification by filtering the multiple fields in the
L3 and L4 packets headers.
For example, the network administrator does not allow the employees of the marketing
department to access the network resources of the financial department. One expanded
ACL can be created in the switch, with the following rules added:
Rule 1 deny ip 10.1.5.0 0.0.0.255 10.1.4.0 0.0.0.255
Rule 2 permit ip 10.1.5.0 0.0.0.255 any
With this ACL bonded to the Vlan5 interface of the switch, the employees of the
marketing department can be prevented from accessing the network resources of the
financial department.
Another example, the employees of the R&D department are not allowed to access the
internal servers via Telnet. One expanded ACL can be created in the switch, with the
following rules added:
Rule 1 deny tcp 10.1.6.0 0.0.0.255 10.1.2.0 0.0.0.255 telnet
Rule 2 permit ip 10.1.6.0 0.0.0.255 any
With this ACL bonded to the Vlan6 interface of the switch, the employees of the R&D
department can be prevented from accessing the internal servers via Telnet. To prevent
the employees of the R&D department from accessing the internal servers during non-
working hours via Telnet, first create a time range on the switch:
Time-range rd-telnet 18:00-8:30, 12:00-14:00
Modify the above Rule:
Rule 1 deny tcp 10.1.6.0 0.0.0.255 10.1.2.0 0.0.0.255 telnet time-range rd-telnet
Rule 2 permit ip 10.1.6.0 0.0.0.255 any
With the ACL above bonded to the Vlan6 interface of the switch, the employees of the
R&D department can be prevented from accessing the internal servers via Telnet during
the non-working hours.
The expanded ACL can filter the fields in the IP header such as ToS, Precedence, and
DSCP. Therefore, this type of ACL is also used as QoS traffic classification technology,
in order to provide different type of traffic with different QoS assurances. The details
about QoS will be described in a following chapter.
3.18.3

L2 ACL

L2 ACL mainly perform filtering on the fields in L2 header, including source MAC,
destination MAC, Ethernet protocol type, VLAN label and VLAN priority. L2 ACL is
mainly used for access control over the same network segment. For cases where it is
26 © 2010 ZTE Corporation. All rights reserved. ZTE Confidential Proprietary