Foundry NetIron M2404C and M2404F Metro Access Switches
Configuring ACLs (Rev. 03)
Overview
© 2008 Foundry Networks, Inc
Page 3 of 50
Overview
The application software provides Access Control Lists (ACL) to filter the packets that pass
through a device. The ACLs filter network traffic by controlling whether packets are forwarded or
blocked at the interfaces. ACLs can also forward or block traffic in VLANs. The device examines
each packet to determine whether to forward or drop the packet, based on the criteria specified
within the ACL.
There are many reasons to configure ACLs. Among these reasons are:
Security
- One of the most important roles of ACLs is to provide security for the network. The
user should use ACLs to provide a basic level of security for accessing the network. If the user
does not configure ACLs, all packets passing through the device could be allowed to all parts of
the network. The user can configure ACLs on the device to control access to a network.
In addition to filtering by IP address, the user can also use the ACL to control the flow of different
types of traffic through interfaces or VLANs. For example, the user can permit FTP traffic to be
routed, but at the same time block all Telnet traffic.
Traffic Control
- The user can use the ACL to provide traffic flow control. Packet filtering helps
control packet movement through the network. Such control can help limit network traffic and
restrict network-use by certain users or devices. To permit or deny packets from crossing specified
interfaces or VLANs, use the ACL.
Traffic Rate Limitation
- ACL can also allow the user to control the rate according to any criteria
the user chooses (from the ACL criteria). The ability to control the rate (per VLAN or per
interface) with the ACL provides a combination of security and rate control on the same
configuration.
Quality of Service
(
QoS
) - ACLs can be used to assign packet-handling priority to a data flow.
The flow can be sorted into eight priority queues based on the ACL criteria. The user can also use
ACLs to re-mark ToS/DSCP values, by specifying a new ToS/DSCP value which is set in the IP
header of the packet before it is passed on toward its destination.
The two steps involved in using an ACL are:
1. Create an ACL by specifying a list of access conditions by the
access-list
command in Global
Configuration mode.
2. A pply the ACL to selected interfaces or VLANs. The user can apply several ACLs to a single
interface or VLAN. To apply an ACL to an interface, use the
ip access-group
command in
Interface Configuration mode. To apply an ACL to a VLAN, use the
ip access-group
command in Specific VLAN Configuration mode.
Creating Access Control Lists (ACLs)
An ACL consists of packet-filtering
permit
or
deny
conditions. Each condition statement defines a
line in the ACL. Condition statements are associated with a specific ACL by specifying the ACL
number when the condition is defined.
New condition statements are placed after any existing conditions, at the end of the list. The user
cannot selectively add or remove condition lines from the middle of an ACL.
ACL condition statements can check the packet source IP address, destination IP address, upper-
layer protocol and other information. The application software supports several types of ACLs:
•
Standard IP ACLs use source IP address for matching operations.