Filter
Top Products
ES-3100 Series Switch Support Notes
All contents copyright (c) 2006 ZyXEL Communications Corporation.
102
ACL Scenario
How should I configure if I only allow certain IP address on a certain port
to forward its traffic but deny all others?
In the beginning, we need to set up the classifier to group traffic into data
flows based on some such as source address, destination address, port
number and packet format. In this example, we specify which format of the
packet that the Switch applies its policy rules. We define three rules. Firstly, we
define a classifier that is coming from port 2 and its source address is coming
from 172.23.3.120; secondly, we specify a classifier that is based on port 2.
Finally we specify a classifier for ARP.
After the classification, we need to define the policy rule to ensure that the
traffic gets the deserved treatment in the network. Here, we also define three
policy rules. The first policy rule is to forward (do not drop the matching frame
previously marked for dropping) only the traffic from port 2 and with the ip
address of 172.23.3.120. The second policy rule is to discard all the traffic from
port 2 on first classifier; and we apply the second policy rule on second
classifier. Moreover, do not forget to apply a policy rule (do not drop the
matching frame previously marked for dropping) for our last classifier.
The logic is like this. Since the first rule has a higher weight (layer 3 V.S.
layer2) then the second rule and third rule, although the second rule says “drop
all from port 2”, the first rule will overwrite the action of all other rules since rule
one has the higher weight. Therefore, all other traffic from port 2 will be drop,
but traffic coming from port 2 with 172.23.3.120 will be forward.