DELL PC7024 User Manual
ACL Commands
267
5
ACL Commands
Access to a switch or router can be made more secure through the use of
Access Control Lists (ACLs) to control the type of traffic allowed into or out
of specific ports. An ACL consists of a series of rules, each of which describes
the type of traffic to be processed and the actions to take for packets that
meet the classification criteria. Rules within an ACL are evaluated
sequentially until a match is found, if any. Every ACL is terminated by an
implicit deny all rule, which covers any packet not matching a preceding
explicit rule. ACLs can help to ensure that only authorized users have access
to specific resources while blocking out any unwarranted attempts to reach
network resources.
ACLs may be used to restrict contents of routing updates, decide which types
ACLs may be used to restrict contents of routing updates, decide which types
of traffic are forwarded or blocked and, above all, provide security for the
network. ACLs are normally used in firewall routers that are positioned
between the internal network and an external network, such as the Internet.
They can also be used on a router positioned between two parts of the
network to control the traffic entering or exiting a specific part of the internal
network.
The PowerConnect ACL feature allows classification of packets based upon
The PowerConnect ACL feature allows classification of packets based upon
Layer 2 through Layer 4 header information. An Ethernet IPv6 packet is
distinguished from an IPv4 packet by its unique Ethertype value; thus, all
IPv4 and IPv6 classifiers include the Ethertype field.
Multiple ACLs per interface are supported. The ACLs can be a combination
Multiple ACLs per interface are supported. The ACLs can be a combination
of Layer 2 and/or Layer 3/4 ACLs. ACL assignment is appropriate for both
physical ports and LAGs. ACLs can also be time based.
ACL Logging
Access list rules are monitored in hardware to either permit or deny traffic
matching a particular classification pattern, but the network administrator
currently has no insight as to which rules are being
hit. Some hardware
platforms have the ability to count the number of hits for a particular
2CSPC4.XCT-SWUM2XX1.book Page 267 Monday, October 3, 2011 11:05 AM