Specifications

About Security Access Control Lists

15-2 Configuring and Managing Security ACLs

Figure 15-1 Setting Security ACLs

Security ACL Filters

AsecurityACLfilterspacketstorestrictorpermitnetworktraffic.Thesefilterscanthenbe

mappedbynametoauthenticatedusers,VLANs,virtualports,orDistributedAPs.Youcanalso

assignaclass‐of‐service(CoS)levelthatmarksthepacketsmatchingthefilterforpriority

handling.

AsecurityACL

containsanorderedlistofrulescalledaccesscontrolentries(ACEs),whichspecify

howtohandlepackets.AnACEcontainsanactionthatcandenythetraffic,permitthetraffic,or

permitthetrafficandapplytoitaspecificCoSlevelofpackethandling.Thefiltercaninclude

source

anddestinationIPaddressinformationalongwithotherLayer 3andLayer 4parameters.

Actionistakenonlyifthepacketmatchesthefilter.

TheorderinwhichACEsarelistedinanACLisimportant.MSSappliesACEsthatarehigherin

thelistbeforeACEslowerinthelist.(See“Modifying

aSecurityACL”onpage 15‐16.)Animplicit

“denyall”ruleisalwaysprocessedasthelastACEofanACL.IfapacketmatchesnoACEinthe

entiremappedACL,thepacketisrejected.IftheACLdoesnotcontainatleastoneACEtha t

permitsaccess,no

trafficisallowed.

PlanyoursecurityACLmapstoVLANs,virtualports,andDistributedAPssothatonlyone

securityACLfiltersagivenflowofpackets.IfmorethanonesecurityACLfiltersthesametraffic,

MSSappliesonlythefirstACLmatchandignoresanyothermatches.Security

ACLsthatare

mappedtousershaveprecedenceoverACLsmappedtoVLANs,virtualports,orDistributed

APs.

ACLs in

edit buffer

null

Commited ACLs

null

ACLs mapped to ports,

VLANs, and virtual ports

ACLs mapped

to users