Access Control Lists (ACLs) for the Series 5300xl Switches
Terminology
ACL Mask: Follows any IP address (source or destination) listed in an ACE.
Defines which bits in a packet’s corresponding IP addressing must exactly
match the IP addressing in the ACE, and which bits need not match
(wildcards). See also
“How an ACE Uses a Mask To Screen Packets for
Matches” on page 9-20.)
Connection-Rate ACL: An optional feature used with Connection-Rate
filtering based on virus-throttling technology, and available in 5300xl
switches running software release E.09.xx or greater. For more informa-
tion, refer to the chapter titled “Virus Throttling” in the Access Security
Guide for your 5300xl switch.
DA: The acronym for Destination IP Address. In an IP packet, this is the
destination IP address carried in the header, and identifies the destination
intended by the packet’s originator. In an extended ACE, this is the second
of two IP addresses required by the ACE to determine whether there is a
match between a packet and the ACE. See also “SA”.
Deny: An ACE configured with this action causes the switch to drop a packet
for which there is a match within an applicable ACL.
Extended ACL: This type of Access Control List uses layer-3 IP criteria
composed of source and destination IP addresses and (optionally) TCP
or UDP port criteria to determine whether there is a match with an IP
packet. You can apply extended ACLs to either inbound or outbound
routed traffic and to any inbound switched or routed traffic with a DA
belonging to the switch itself. Extended ACLs require an identification
number (ID) in the range of 100 - 199 or an alphanumeric name.
Implicit Deny: If the switch finds no matches between a routed packet and
the configured criteria in an applicable ACL, then the switch denies
(drops) the packet with an implicit “deny IP any” operation. You can
preempt the implicit “deny IP any” in a given ACL by configuring permit IP
any (standard) or permit IP any any (extended) as the last explicit ACE in
the ACL. Doing so permits any routed packet that is not explicitly permit-
ted or denied by other ACEs configured sequentially earlier in the ACL.
Unless otherwise noted, “implicit deny IP any” refers to the “deny” action
enforced by both standard and extended ACLs.
Inbound Traffic: For the purpose of defining where the switch applies ACLs
to filter traffic, inbound traffic is any IP packet that:
• Enters the switch on a given subnet.
• Has a destination IP address (DA) that meets either of these criteria:
– The packet’s DA is for an external device on a different subnet.
9-6
To Next Page
Loading...
Need help?
General