Filter
Top Products
239
Chapter 9 ACL Configuration
9.1 Introduction to ACL
ACL (Access Control List) is an IP packet filtering mechanism employed in switches,
providing network traffic control by granting or denying access through the switches,
effectively safeguards the security of networks. The user can lay down a set of rules
according to some information specific to the packet, each rule describes the action for a
packet with certain information matched: “permit” or “deny”. The user can apply such rules
to the incoming or outgoing direction of the switch ports, so that data stream in the specific
direction of specified ports must comply with the ACL rules assigned.
9.1.1 Access list
Access list is a sequential collection of conditions that corresponds to a specific rule. Each
rule consists of filter information and the action when the rule is matched. Information
include in a rule is the effective combination of conditions such as source IP, destination
IP, IP protocol number and TCP port. Access list can be categorized by the following
criteria:
z Filter information based criterion: IP access list (information of layer 3 and above),
MAC access list (layer 2 information), and MAC-IP access list (information of
layer 2 and above). The current implementation support IP access list only, the
other two functions will be provided later.
z Configuration complexity based criterion: standard and extended, extended
mode allow more specific filter information.
z Nomenclature based criterion: numbered and named.
Description of an ACL should cover the above three aspects.
9.1.2 Access-group
When a set of access lists are created, they can be applied to traffic of any direction on
all ports. Access-group is the description to a the binding of an access list to the
specified direction on a specific port. When an access-group is created, all packets from
in the specified direction through the port will be compared to the access list rule to