User`s manual

ManualsBrandsD-Link ManualsComputer equipmentDWL-8220AP - AirPremier Wireless Switch Dualband Access Point

231

232

233

234

235

236

237

238

239

240

232

DWS-1008 User’s Manual

D-Link Systems, Inc.

Conguring and Managing Security ACLs

Conﬁguring and Managing

Security ACLs

About Security Access Control Lists

A security access control list (ACL) lters packets for the purpose of discarding them,

permitting them, or permitting them with modication (marking) for class-of-service (CoS)

priority treatment. A typical use of security ACLs is to enable users to send and receive packets

within the local intranet, but restrict incoming packets to the server in which condential salary

information is stored.

D-Link provides a very powerful mapping application for security ACLs. In addition to being

assigned to physical ports, VLANs, virtual ports in a VLAN, or Distributed APs, ACLs can be

mapped dynamically to a user’s session, based on authorization information passed back

from the AAA server during the user authentication process.

Security ACL Filters

A security ACL lters packets to restrict or permit network trafc. These lters can then be

mapped by name to authenticated users, ports, VLANs, virtual ports, or Distributed APs. You

can also assign a class-of-service (CoS) level that marks the packets matching the lter for

priority handling.

A security ACL contains an ordered list of rules called access control entries (ACEs), which

specify how to handle packets. An ACE contains an action that can deny the trafc, permit

the trafc, or permit the trafc and apply to it a specic CoS level of packet handling. The

lter can include source and destination IP address information along with other Layer 3 and

Layer 4 parameters. Action is taken only if the packet matches the lter.

The order in which ACEs are listed in an ACL is important. MSS applies ACEs that are higher

in the list before ACEs lower in the list. An implicit “deny all” rule is always processed as

the last ACE of an ACL. If a packet matches no ACE in the entire mapped ACL, the packet

is rejected. If the ACL does not contain at least one ACE that permits access, no trafc is

allowed.

Plan your security ACL maps to ports, VLANs, virtual ports, and Distributed APs so that only

one security ACL lters a given ow of packets. If more than one security ACL lters the same

trafc, MSS applies only the rst ACL match and ignores any other matches. Security ACLs

that are mapped to users have precedence over ACLs mapped to ports, VLANs, virtual ports,

or Distributed APs.

You cannot perform ACL functions that include permitting, denying, or marking with a Class

of Service (CoS) level on packets with a multicast or broadcast destination address.