User guide

ManualsBrandsExtreme Networks ManualsComputer equipmentExtremeWare Enterprise Manager

291

292

293

294

295

296

297

298

299

300

XTREME

ARE

OFTWARE

SER

UIDE

16-3

SING

IP A

CCESS

ISTS

• Physical source port

• Precedence number (optional)

IP A

CCESS

ISTS

ORK

When a packet arrives on an ingress port, the packet is compared with the access list

rules to determine a match. When a match is found, the packet is processed. If the

access list is of type deny, the packet is dropped. If the list is of type permit, the packet

is forwarded. A permit access list can also apply a QoS profile to the packet.

RECEDENCE

UMBERS

The precedence number is optional, and determines the order in which each rule is

examined by the switch. Access list entries that contain a precedence number are

evaluated from highest to lowest. Precedence numbers range from 1 to 25,600, with the

number 1 having the highest precedence.

You can specify overlapping rules; however, if you are using precedence numbers,

overlapping rules without precedence numbers are ignored. Therefore, the precedence

numbers must be specified among all overlapping rules. If a new rule without a

precedence number is entered, and this rule overlaps with already existing rules, the

switch rejects the new rule and resolves the precedences among all remaining

overlapping rules.

PECIFYING

EFAULT

ULE

To begin constructing an access list, you should specify a default rule. A default rule is a

rule that contains wildcards for destination and source IP address, with no Layer 4

information. A default rule determines if the behavior of the access list is an “implicit

deny” or “implicit accept”. If no access list entry is satisfied, the default rule is used to

determine whether the packet is forwarded or dropped. If no default rule is specified,

the default implicit behavior is to forward the packet.

The following example shows a default entry that is used to specify an explicit deny:

create access-list denyall ip dest 0.0.0.0/0 source 0.0.0.0/0 deny

ports any

Once the default behavior of the access list is established, you may create additional

entries using precedence numbers.