3Com WX2200 3CRWX220095A Switch User Manual

About Security Access Control Lists 379
The order in which ACEs are listed in an ACL is important. MSS applies
ACEs that are higher in the list before ACEs lower in the list. (See
“Modifying a Security ACL” on page 394.) An implicit “deny all” rule is
always processed as the last ACE of an ACL. If a packet matches no ACE
in the entire mapped ACL, the packet is rejected. If the ACL does not
contain at least one ACE that permits access, no traffic is allowed.
Plan your security ACL maps to ports, VLANs, virtual ports, and
Distributed MAPs so that only one security ACL filters a given flow of
packets. If more than one security ACL filters the same traffic, MSS
applies only the first ACL match and ignores any other matches. Security
ACLs that are mapped to users have precedence over ACLs mapped to
ports, VLANs, virtual ports, or Distributed MAPs.
You cannot perform ACL functions that include permitting, denying, or
marking with a Class of Service (CoS) level on packets with a multicast or
broadcast destination address.
Order in Which ACLs
are Applied to Traffic
MSS provides different scopes (levels of granularity) for ACLs. You can
apply an ACL to any of the following scopes:
Virtual port (physical ports plus specific VLAN tags)
Physical Port (network ports or Distributed MAPs)
MSS begins comparing traffic to ACLs in the order the scopes are listed
above. If an ACL is mapped to more than one of these scopes, the first
ACL that matches the packet is applied and MSS does not compare the
packet to any more ACLs. For example, if different ACLs are mapped to
both a user and a VLAN, and a user’s traffic can match both ACLs, only
the ACL mapped to the user is applied.
Traffic Direction
An ACL can be mapped at any scope to either the inbound traffic
direction or the outbound traffic direction. It is therefore possible for two
ACLs to be applied to the same traffic as it traverses the system: one ACL
is applied on the inbound direction and the other is applied on the
outbound direction. When you map an ACL to one of the scopes listed
above, you also specify the traffic direction to which the ACL applies.