Netgear XCM8810 - 8800 SERIES 10-SLOT CHASSIS SWITCH ユーザーズマニュアル
Chapter 13. ACLs
|
299
13
13.
ACLs
This chapter includes the following sections:
• Overview
Overview
Access Control Lists (ACLs) are used to perform packet filtering and forwarding decisions on
traffic traversing the switch. Each packet arriving on an ingress port and/or VLAN is compared to
the access list applied to that interface and is either permitted or denied. On NETGEAR 8800
series switches, packets egressing an interface can also be filtered. However, only a subset of
the filtering conditions available for ingress filtering are available for egress filtering.
traffic traversing the switch. Each packet arriving on an ingress port and/or VLAN is compared to
the access list applied to that interface and is either permitted or denied. On NETGEAR 8800
series switches, packets egressing an interface can also be filtered. However, only a subset of
the filtering conditions available for ingress filtering are available for egress filtering.
In addition to forwarding or dropping packets that match an ACL, the switch can also perform
additional operations such as incrementing counters, logging packet headers, mirroring traffic to
a monitor port, sending the packet to a QoS profile, and metering the packets matching the ACL
to control bandwidth. Using ACLs has no impact on switch performance (with the minor
exception of the mirror-cpu action modifier).
additional operations such as incrementing counters, logging packet headers, mirroring traffic to
a monitor port, sending the packet to a QoS profile, and metering the packets matching the ACL
to control bandwidth. Using ACLs has no impact on switch performance (with the minor
exception of the mirror-cpu action modifier).
ACLs are typically applied to traffic that crosses Layer 3 router boundaries, but it is possible to
use access lists within a Layer 2 virtual LAN (VLAN).
use access lists within a Layer 2 virtual LAN (VLAN).
ACLs in XCM8800 apply to all traffic. This is somewhat different from the behavior in NETGEAR.
For example, if you deny all the traffic to a port, no traffic, including control packets, such as
OSPF or RIP, will reach the switch and the adjacency will be dropped. You must explicitly allow
those types of packets (if desired). In NETGEAR, an ACL that denied “all” traffic would allow
control packets (those bound for the CPU) to reach the switch.
For example, if you deny all the traffic to a port, no traffic, including control packets, such as
OSPF or RIP, will reach the switch and the adjacency will be dropped. You must explicitly allow
those types of packets (if desired). In NETGEAR, an ACL that denied “all” traffic would allow
control packets (those bound for the CPU) to reach the switch.