Allied Telesis AT-S63 User Manual
AT-S63 Management Software Features Guide
Section II: Advanced Operations
121
Overview
An access control list is a filter that controls the ingress traffic on a port. It
defines a category of traffic and the action of the port when it receives
packets of the category. The action can be to accept the defined packets
or discard them. You can use this feature to increase the security to your
network by restricting access to certain areas or subnets, or to enhance
network performance by forming network links dedicated to carrying
specified types of traffic.
defines a category of traffic and the action of the port when it receives
packets of the category. The action can be to accept the defined packets
or discard them. You can use this feature to increase the security to your
network by restricting access to certain areas or subnets, or to enhance
network performance by forming network links dedicated to carrying
specified types of traffic.
Note
This feature is not related to the management ACL feature,
described in Chapter 37, “Management Access Control List” on
page 431. They perform different functions and are configured in
different ways.
described in Chapter 37, “Management Access Control List” on
page 431. They perform different functions and are configured in
different ways.
The heart of an ACL is a classifier. A classifier, as explained “Overview” on
page 111, defines packets that share a common trait. Packets that share a
trait are referred to as a traffic flow. A traffic flow can be very broad, such
as all IP packets, or very specific, such as packets from a specified end
node destined for another specified node. You specify the traffic using
different criteria, such as source and destination MAC addresses or
protocol.
page 111, defines packets that share a common trait. Packets that share a
trait are referred to as a traffic flow. A traffic flow can be very broad, such
as all IP packets, or very specific, such as packets from a specified end
node destined for another specified node. You specify the traffic using
different criteria, such as source and destination MAC addresses or
protocol.
When you create an ACL, you must specify the classifier that defines the
traffic flow to permit or deny on a port.
traffic flow to permit or deny on a port.
There are two kinds of ACLs based on the two actions that an ACL can
perform. One is called a permit ACL. Packets that meet the criteria in a
permit ACL are accepted by a port.
perform. One is called a permit ACL. Packets that meet the criteria in a
permit ACL are accepted by a port.
The second type of ACL is a deny ACL. This type of ACL denies entry to
packets that meet the criteria of its classifiers, unless the packet also
meets the criteria of a permit ACL on the same port, in which case the
packet is accepted. This is because a permit ACL overrides a deny ACL.
packets that meet the criteria of its classifiers, unless the packet also
meets the criteria of a permit ACL on the same port, in which case the
packet is accepted. This is because a permit ACL overrides a deny ACL.
Here is an overview of how the process works.
1. When an ingress packet arrives on a port, it is checked against the
criteria in the classifiers of all the ACLs, both permit and deny,
assigned to the port.
assigned to the port.
2. If the packet matches the criteria of a permit ACL, the port immediately
accepts it, even if the packet also matches a deny ACL assigned to the
same port, because a permit ACL always overrides a deny ACL.
same port, because a permit ACL always overrides a deny ACL.
3. If a packet meets the criteria of a deny ACL but not any permit ACLs
on the port, then the packet is discarded.