746
Chapter 19 ACL Configuration
19.1 Introduction to ACL
ACL (Access Control List) is an IP packet filtering mechanism employed in switches,
providing network traffic control by granting or denying access through the switches,
effectively safeguarding the security of networks. The user can lay down a set of rules
according to some information specific to packets, each rule describes the action for a
packet with certain information matched: “permit” or “deny”. The user can apply such
rules to the incoming or outgoing direction of switch ports, so that data streams in the
specific direction of specified ports must comply with the ACL rules assigned.
19.1.1 Access-list
Access-list is a sequential collection of conditions that corresponds to a specific rule.
Each rule consist of filter information and the action when the rule is matched.
Information included in a rule is the effective combination of conditions such as source IP,
destination IP, IP protocol number and TCP port. Access-lists can be categorized by the
following criteria:
z
Filter information based criterion: IP access-list (layer 3 or higher information), MAC
access-list (layer 2 information), and MAC-IP access-list (layer 2 or layer 3 or higher).
The current implementation supports IP access-list only, the other two functions will
be provided later.
z
Configuration complexity based criterion: standard and extended, the extended mode
allows more specific filtering of information.
z
Nomenclature based criterion: numbered and named.
Description of an ACL should cover the above three aspects.
19.1.2 Access-group
When a set of access-lists are created, they can be applied to traffic of any direction on
all ports. Access-group is the description to the binding of an access-list to the specified
direction on a specific port. When an access-group is created, all packets from in the
specified direction through the port will be compared to the access-list rule to decide
whether to permit or deny access.