User guide
16-2 E
XTREME
W
ARE
S
OFTWARE
U
SER
G
UIDE
A
CCESS
P
OLICIES
IP A
CCESS
L
ISTS
IP access lists consist of IP access rules, and are used to perform packet filtering and
forwarding decisions on incoming traffic. Each packet arriving on an ingress port is
compared to the access list in sequential order, and is either forwarded to a specified
QoS profile or dropped. Using access lists has no impact on switch performance.
Access lists are typically applied to traffic that crosses layer 3 router boundaries, but it
is possible to use access lists within a layer 2 VLAN. Products that use the “i” chipset
are capable of performing this function with no additional configuration. Products that
do not use the “i” chipset require the enabling of Intra-subnet QoS (ISQ), to perform
this function. For more information on ISQ, refer to Chapter 9.
R
OUTING
A
CCESS
P
OLICIES
Routing access policies are used to control the advertisement or recognition of routing
protocols, such as RIP, OSPF, or BGP. Routing access policies can be used to ‘hide’ entire
networks, or to trust only specific sources for routes or ranges of routes. The capabilities
of routing access policies are specific to the type of routing protocol involved, but are
sometimes more efficient and easier to implement than access lists.
The following sections describe IP access lists first, and then describe the details of
routing access policies.
R
OUTE
M
APS
Route maps are used to modify or filter routes redistributed into BGP. They are also
used to modify or filter the routing information exchanged with BGP neighbors.
U
SING
IP A
CCESS
L
ISTS
Each entry that makes up an IP access list contains a unique name. It can also contain
an optional, unique precedence number. The rules of an IP access list consist of a
combination of the following six components:
• IP source address and mask
• IP destination address and mask
• TCP or UDP source port range
• TCP or UDP destination port range