Table of Contents
Advertisement
6 - 18 WiNG 4.4 Switch System Reference Guide
6.4.1.4 ACL Actions
Every ACE within an ACL is made up of an action and matching criteria. The action defines what to do with the packet if
it matches the specified criteria. The following actions are supported:
• deny— Instructs the ACL not to allow a packet to proceed to its destination.
• permit—Instructs the ACL to allows a packet to proceed to its destination.
• mark—Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with an implicit
permit.
• VLAN 802.1p priority.
• TOS/DSCP bits in the IP header.
NOTE: A Permit All ACL is not supported when using NTP. If a Permit All ACL is used with
NTP, the client will not be able to synchronize with the NTP server.
NOTE: Only a Port ACL supports a mark action. With Router ACLs, a mark is treated as a
permit and the packet is allowed without modifications.
6.4.1.5 Precedence Order
The rules within an ACL are applied to packets based on their precedence values. Every rule has a unique precedence value
between 1 and 5000. You cannot add two rules's with the same precedence value.
Consider the following when adding rules:
• Every ACL entry in an ACL is associated with a precedence value unique for every entry. You cannot enter two different
entries in an ACL with the same precedence value. This value can be between 1 and 5000. An ACE in an ACL is
associated with a unique precedence value. No two ACE's can have the same precedence value.
• Specifying a precedence value with each ACL entry is not mandatory. If you do not want to specify one, the system
automatically generates a precedence value starting with 10. Subsequent entries are added with precedence values
of 20, 30 and so on. 10 is the default offset between any two rules in an ACL. However, if the user specifies a
precedence value with an entry, that value overrides the default value. The user can also add an entry in between two
subsequent entries (for example, in between 10 and 20).
• If an entry with a max precedence value of 5000 exists, you cannot add a new entry with a higher precedence value.
In such a case, the system displays an error stating "Rule with max precedence value exists". Either delete the entry
or add new entries with precedence values less than 5000. A user can add a maximum of 500 ACE's in an ACL.
• Rules within an ACL are displayed in an ascending order of precedence.
NOTE: ACEs with lower precedence are always applied first to packets. Therefore, it is
advised to add more specific entries in the ACL first then the general ones. While
displaying the ACL, the entries are displayed in an ascending order of precedence.
6.4.2 Attaching an ACL on a WLAN Interface/Port
Use the
Attach-WLAN
a ACL entry to allow arp with least precedence.
NOTE: WLAN based ACLs allows users to enforce rules/ACLs on both the inbound and
outbound direction, as opposed to Layer 2 ACLs, which just support the inbound direction.
The ACL rules per AAP is <0-24>
tab to view and assign an ACL to a WLAN on the switch. If a MAC ACL is being attached, create
Advertisement
Table of Contents
Troubleshooting
