Motorola WS5100 用户手册

下载
页码 364
Switch Security   
6-17
 
6.5.1 ACL Overview
An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies an action and a set of 
conditions that a packet must satisfy in order to match the ACE. The order of conditions in the list is critical 
because the switch stops testing conditions after the first match.
The switch supports the following ACLs to filter traffic:
• Router ACLs — Applied to VLAN (Layer 3) interfaces. These ACLs filter traffic based on Layer 3 
parameters like source IP, destination IP, protocol types and port numbers. They are applied on packets 
routed through the switch. Router ACLs can be applied to inbound traffic only, not both directions.
• Port ACLs— Applied to traffic entering a Layer 2 interface. Only switched packets are subjected to these 
kind of ACLs. Traffic filtering is based on Layer 2 parameters like–source MAC, destination MAC
Ethertype, VLAN-ID, 802.1p bits (OR) Layer 3 parameters like– source IP, destination IP, protocol, port 
number. 
• Wireless LAN ACLs - A Wireless LAN ACL is designed to filter/mark packets based on the wireless LAN 
from which they arrived rather than filtering the packets arrived on L2 ports.
For more information, see
6.5.1.1 Router ACLs
Router ACLs are applied to Layer 3 or VLAN interfaces. If an ACL is already applied in a particular direction 
on an interface, applying a new one will replace the existing ACL. Router ACLs are applicable only if the 
switch acts as a gateway, and traffic is inbound only.
The switch supports two types of Router ACLs:
• Standard IP ACL—Uses the source IP address as matching criteria.
• Extended IP ACL—Uses the source IP address, destination IP address and IP protocol type as basic 
matching criteria. It can also include other parameters specific to a protocol type (like source and 
destination port for TCP/UDP protocols).
Router ACLs are stateful and are not applied on every packet that gets routed through the switch. Whenever 
a packet is received from a Layer 3 interface, it is examined against all the existing sessions to determine if 
it belongs to an established session. ACLs are applied on the packet in the following manner.
1. If the packet matches an existing session, it is not matched against ACL rules and the session decides 
where to send the packet.
2. If no existing sessions match the packet, it is matched against ACL rules to decide whether to accept it 
or reject it. If ACL rules accept the packet, a new session is created and all further packets belonging to 
that session are allowed. If ACL rules reject the packet, no session is established.
NOTE: Port and router ACLs can be applied only in an inbound direction. WLAN ACLs 
support applying ACLs in the inbound and outbound direction.