Hybrid Acl Technology - Zte ZXR10 5900 Product Description

ZXR10 5900 5200 Product Description
not necessary to know the IP address or a protocol other than IP is used, some network
resources can be protected by filtering L2 MAC addresses and VLAN labels.
For example, on the network segment in the R&D department, some computers are
used for experiment, and they have no fixed IP addresses. The network administrator
only allows them to be used on the network segment of the R&D department. It is not
allowed to use any other enterprise network resources from these computers. One L2
ACL can be created in the Switch, with the following Rules added:
Rule 1 deny ip ingress 00d0.d0c1.12e3 0000.0000.0000 any
Rule 2 deny ip ingress 00d0.d0c1.12e4 0000.0000.0000 any
Rule 2 permit ip ingress any egress any
With the above ACL bonded to the access port for the R&D of the Switch, the two
experiment hosts with the MAC addresses of 00d0.d0c1.12e3 and 00d0.d0c1.12e4 can
only be used on the network segment of the R&D department, they cannot access any
other enterprise network resources.
Effective time range can also be defined for L2 ACL, just like standard or expanded ACL.
The system allows up to 100 L2 ACLs to be created, and each ACL can have as many
as 128 Rules.
3.18.4

Hybrid ACL technology

The hybrid ACL is capable of filtering packet headers of L2, L3 and L4. Fields for filtering
on L2 include VLAN label, source MAC address and destination MAC address. Fields for
filtering on L3 include source IP address, destination IP address, and IP protocol ID.
Fields for filtered on L4 include source port and destination port. The hybrid ACL
combines the characteristics of the expanded ACL and L2 ACL. Filtering based on IP
address and MAC address bonded together can be used to further implement controlled
access to the network resources.
For example, in the enterprise network, the IP addresses of the internal servers cannot
be modified. Now, there are three servers, of which 10.1.2.10 is open on Monday,
Wednesday and Friday each week, 10.1.2.12 is open on Tuesday, Thursday and
Saturday each week, and 10.1.2.14 is open every day. First, create two time ranges in
the Switch:
Time-range server1 Monday, Wednesday, Friday
Time-range server2 Tuesday, Thursday, Saturday
One hybrid ACL can be created in the Switch, with the following Rules added
Rule 1 permit ingress 00d0.d0c1.12fe 0000.0000.0000 egress any ip 10.1.2.10 0.0.0.0
any time-range server1
Rule 2 permit ingress 00d0.d0c1.12de 0000.0000.0000 egress any ip 10.1.2.12 0.0.0.0
any time-range server2
Rule 3 permit ingress 00d0.d0c1.12f5 0000.0000.0000 egress any ip 10.1.2.14 0.0.0.0
any
ZTE Confidential Proprietary © 2010ZTE Corporation. All rights reserved. 27