Filter
Top Products
48
Enhancements
Release M.10.02 Enhancements
Terminology
ACE: See Access Control Entry, below.
Access Control Entry (ACE): An ACE is a policy consisting of a packet-handling action and criteria
to define the packets on which to apply the action. For RADIUS-based ACLs, the elements
composing the ACE include:
• permit or drop (action)
•in < ip-packet-type > from any (source)
• to < ip-address [/ mask ] | any > (destination)
• [ port-# ] (optional TCP or UDP application port numbers used when the packet type is TCP
or UDP)
• [ cnt ] (optional counter that increments when there is a packet match)
ACL: See Access Control List, below.
Access Control List (ACL): A list (or set) consisting of one or more explicitly configured Access
Control Entries (ACEs) and terminating with an implicit “deny” default which drops any packets
that do not have a match with any explicit ACE in the named ACL.
ACL Mask: Follows a destination IP address listed in an ACE. Defines which bits in a packet’s
corresponding IP addressing must exactly match the IP addressing in the ACE, and which bits
need not match (wildcards).
DA: The acronym for Destination IP Address. In an IP packet, this is the destination IP address
carried in the header, and identifies the destination intended by the packet’s originator.
Deny: An ACE configured with this action causes the switch to drop a packet for which there is a
match within an applicable ACL.
Deny Any Any: An abbreviated form of deny in ip from any to any, which denies any inbound IP traffic
from any source to any destination.
Extended ACL: This type of Access Control List uses layer-3 IP criteria composed of source and
destination IP addresses and (optionally) TCP or UDP port criteria to determine whether there
is a match with an IP packet. On the 3400cl switches, the source IP address is always defined as
“any”, and extended ACLs apply only to inbound bridged or routed traffic. For a RADIUS-based,
extended ACL assigned to a port, only the inbound traffic from the client whose authentication
caused the ACL assignment is filtered. Inbound traffic from any other sources is denied.
Implicit Deny: If the switch finds no matches between an inbound packet and the configured criteria
in an applicable ACL, then the switch denies (drops) the packet with an implicit “deny IP any/
any” operation. You can preempt the implicit “deny IP any/any” in a given ACL by configuring
permit in ip from any to any as the last explicit ACE in the ACL. Doing so permits any inbound IP