86
Table of Contents
Linksys
86
Table of Contents
Linksys
Chapter 13 Access Control List
The Access Control List (ACL) feature is part of the security mechanism
ACLs enable network managers to define patterns (filter and actions) for
ingress traffic Packets, entering the device on a port or LAG with an active
ACL, are either admitted or denied entry ACL definitions can also be used to
define traffic flows in Quality of Service (QoS)
For more information see Advanced Quality of Service This section covers the
following topics:
•
Access Control Lists
•
MAC-Based ACL
•
MAC-Based ACE
•
IPv4-Based ACLs
•
IPv4-Based ACE
•
IPv6-Based ACE
•
IPv6-Based ACL
•
ACL Binding
An Access Control List (ACL) is an ordered list of classification filters and
actions Each single classification rule, together with its action, is called an
Access Control Element (ACE)
Each ACE is made up of filters that distinguish traffic groups and associated
actions A single ACL may contain one or more ACEs, which are matched
against the contents of incoming frames Either a DENY or PERMIT action is
applied to frames whose contents match the filter
The device supports a maximum of 256 ACLs, and a maximum of 256 ACEs
When a packet matches an ACE filter, the ACE action is taken and that ACL
processing is stopped If the packet does not match the ACE filter, the next
ACE is processed If all ACEs of an ACL have been processed without finding a
match, and if another ACL exists, it is processed in a similar manner
NOTE:
If no match is found to any ACE in all relevant ACLs, the packet is dropped
(as a default action) Because of this default drop action you must explicitly
add ACEs into the ACL to permit the desired traffic, including management
traffic, such as Telnet, HTTP or SNMP that is directed to the device itself For
example, if you do not want to discard all the packets that do not match the
conditions in an ACL, you must explicitly add a lowest priority ACE into the
ACL that permits all the traffic
If IGMP snooping is enabled on a port bound with an ACL, add ACE filters
in the ACL to forward IGMP/MLD packets to the device; otherwise, IGMP
snooping fails at the port
The order of the ACEs within the ACL is significant, since they are applied
in a first-fit manner The ACEs are processed sequentially, starting with the
first ACE
ACLs can be used for security, for example by permitting or denying
certain traffic flows, and also for traffic classification and prioritization in
the QoS Advanced mode
NOTE:
A port can be either secured with ACLs or configured with advanced QoS
policy, but not both
There can only be one ACL per port
To associate more than one ACL with a port, a policy with one or more class
maps must be used
The following types of ACLs can be defined (depending on which part of the
frame header is examined):
•
MAC ACL—Examines Layer 2 fields only, as described in Defining MAC-
based ACLs
•
IP ACL—Examines the Layer 3 layer of IP frames, as described in IPv4/IPv6-
Based ACLs
If a frame matches the filter in an ACL, it is defined as a flow with the name of
that ACL
Creating ACLs Workflow
To create ACLs and associate them with an interface, perform the following:
Содержание Smart Switch LGS3XX
Страница 1: ...Smart Switch LGS3XX User Guide ...