Switch Security 6 - 17
•
MAC Extended ACL
— Uses source and destination MAC addresses and VLAN ID. It optionally, also uses Ethertype
information.
Port ACLs are also stateful and are not applied on every packet switched through the switch. Whenever a packet is
received inbound, it is examined against existing sessions to determine if it belongs to an established session. ACLs are
applied on the packet in the following manner:
1. If the packet matches an existing session, it is not matched against ACL rules and the session decides where to send
the packet.
2. If no existing sessions match the packet, it is matched against ACL rules to determine whether to accept or reject it. If
ACL rules accept the packet, a new session is created and all further packets belonging to that session are allowed. If
ACL rules reject the packet, no session is established.
A session is based on:
• Source IP address
• Destination IP address
• Source Port
• Destination Port
• ICMP identifier
• Incoming interface index
• IP Protocol
• Source MAC
• Destination MAC
• Ethertype
• VLAN-ID
• 802.1p bits
When a Port ACL is applied to a trunk port, the ACL filters traffic on all VLANs present on the trunk port. With Port ACLs,
you can filter:
• IP traffic by using IP ACL
• Non-IP traffic by using MAC addresses.
Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the
interface.
You cannot apply more than one IP ACL and one MAC ACL to a Layer 2 interface. If an IP ACL or MAC ACL is already
configured on a Layer 2 interface and a new IP ACL or MAC ACL is applied to the interface, the new ACL replaces the
previously configured one.
6.4.1.3 Wireless LAN ACLs
Wireless LAN ACLs filter/mark packets based on the wireless LAN from which they arrive rather than filtering packets on
Layer 2 ports.
In general, a Wireless-LAN ACL can be used to filter wireless to wireless, wireless to wired and wired to wireless traffic.
Typical wired to wired traffic can be filtered using a Layer 2 port based ACL rather than a WLAN ACL.
Each WLAN is assumed to be a virtual Layer 2 port. Configure one IP and one MAC ACL on the virtual WLAN port. In
contrast to Layer 2 ACLs, a WLAN ACL can be enforced on both the Inbound and Outbound direction.
Summary of Contents for WiNG 4.4
Page 1: ...Motorola Solutions WiNG 4 4 SYSTEM REFERENCE GUIDE ...
Page 2: ......
Page 3: ...MOTOROLA SOLUTIONS WING 4 4 SYSTEM REFERENCE GUIDE 72E 157062 01 Revision A January 2012 ...
Page 6: ...iv WiNG 4 4 Switch System Reference Guide ...
Page 14: ...xii WiNG 4 4 Switch System Reference Guide ...
Page 48: ...1 32 WiNG 4 4 Switch System Reference Guide ...
Page 58: ...2 10 WiNG 4 4 Switch System Reference Guide ...
Page 280: ...4 176 WiNG 4 4 Switch System Reference Guide ...
Page 352: ...5 72 WiNG 4 4 Switch System Reference Guide ...
Page 476: ...6 124 WiNG 4 4 Switch System Reference Guide ...
Page 506: ...7 30 WiNG 4 4 Switch System Reference Guide ...
Page 532: ...8 26 WiNG 4 4 Switch System Reference Guide ...
Page 536: ...A 4 WiNG 4 4 Switch System Reference Guide ...
Page 544: ...B 12 WiNG 4 4 Switch System Reference Guide ...
Page 558: ...B 26 WiNG 4 4 Switch System Reference Guide ...
Page 574: ...C 16 WiNG 4 4 Switch System Reference Guide ...
Page 596: ...E 4 WiNG 4 4 Switch System Reference Guide ...
Page 597: ......