Motorola WS5100 用户手册
6-18 WS5100 Series Switch System Reference Guide
A session is computed based on the following:
• Source IP address
• Destination IP address
• Source Port
• Destination Port
• ICMP identifier
• Incoming interface index
• IP Protocol
Each session has a default idle time-out interval. If no packets are received within this interval, the session
is terminated and a new session must be initiated. These intervals are fixed and can not be configured by
the user.
is terminated and a new session must be initiated. These intervals are fixed and can not be configured by
the user.
The default idle time-out intervals for different sessions are:
• ICMP and UDP sessions— 30 seconds
• TCP sessions— 2 hours
6.5.1.2 Port ACLs
The switch supports Port ACLs on physical interfaces and inbound traffic only. The following Port ACLs are
supported:
supported:
• Standard IP ACL—Uses a source IP address as matching criteria.
• Extended IP ACL—Uses a source IP address, destination IP address and IP protocol type as basic
matching criteria. It can also include other parameters specific to a protocol type, like–source and
destination port for TCP/UDP protocols.
destination port for TCP/UDP protocols.
• MAC Extended ACL— Uses source and destination MAC addresses and VLAN ID. It optionally, also uses
Ethertype information.
Port ACLs are not stateful as compared to Router ACLs. Hence, it matches every packet against the
configured ACL rules and takes action as defined by the ACL rules. When a Port ACL is applied to a trunk
port, the ACL filters traffic on all VLANs present on the trunk port. With Port ACLs, you can filter:
configured ACL rules and takes action as defined by the ACL rules. When a Port ACL is applied to a trunk
port, the ACL filters traffic on all VLANs present on the trunk port. With Port ACLs, you can filter:
• IP traffic by using IP ACL
• Non-IP traffic by using MAC addresses.
Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC
ACL to the interface.
ACL to the interface.
You cannot apply more than one IP ACL and one MAC ACL to a Layer 2 interface. If an IP ACL or MAC ACL is
already configured on a Layer 2 interface and a new IP ACL or MAC ACL is applied to the interface, the new
ACL replaces the previously configured one.
already configured on a Layer 2 interface and a new IP ACL or MAC ACL is applied to the interface, the new
ACL replaces the previously configured one.
NOTE: Port and router ACLs can be applied only in an inbound direction. WLAN ACLs
support applying ACLs in the inbound and outbound direction.
support applying ACLs in the inbound and outbound direction.