General Security Measures
3-123
3
CLI
– This example adds Filter ID 22 and configures it to block traffic from MAC
address 11-22-33-44-55-66.
Access Control Lists
Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on
address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames
(based on address, next header type, or flow label), or any frames (based on MAC
address or Ethernet type). To filter incoming packets, first create an access list, add
the required rules, and then bind the list to a specific port.
Configuring Access Control Lists –
An ACL is a sequential list of permit or deny conditions that apply to IP addresses,
MAC addresses, or other more specific criteria. This switch tests ingress packets
against the conditions in an ACL one by one. A packet will be accepted as soon as it
matches a permit rule, or dropped as soon as it matches a deny rule. If no rules
match, the packet is accepted.
Command Usage
The following restrictions apply to ACLs:
• The maximum number of ACLs is 64.
• The maximum number of rules per system is 1024 rules for mixed mode, or 500
rules for extended mode.
• Each ACL can have up to 32 rules. However, due to resource restrictions, the
average number of rules bound to the ports should not exceed 20.
The order in which active ACLs are checked is as follows:
1. User-defined rules in IP and MAC ACLs for ingress ports are checked in parallel.
2. Rules within an ACL are checked in the configured order, from top to bottom.
3. If the result of checking an IP ACL is to permit a packet, but the result of a MAC
ACL on the same packet is to deny it, the packet will be denied (because the
decision to deny a packet has a higher priority for security reasons). A packet will
also be denied if the IP ACL denies it and the MAC ACL accepts it.
Note:
The CLI includes a control function which restricts access lists to only extended
rules, or permits both standard and extended rules. For a detailed description of
this feature, refer to the
access-list rule-mode
command (page 4-200).
The default setting only permits extended rules, storing any standard rules entered
through the web or command line interface in extended rule format.
4-162
Summary of Contents for 6152PL2 FICHE
Page 2: ......
Page 6: ...vi ...
Page 8: ...viii ...
Page 32: ...Tables xxxii ...
Page 38: ...Figures xxxviii ...
Page 56: ...Initial Configuration 2 10 2 ...
Page 378: ...Configuring the Switch 3 322 3 ...
Page 817: ......