XGS-5240-Series User Manual

Table Of Contents
Configuration Guide of XGS-5240-Series
45-5
Chapter 45 ACL Configuration
45.1 Introduction to ACL
ACL (Access Control List) is an IP packet filtering mechanism employed in switche
s, providing network traffic control by granting or denying access the switches, effectivel
y safeguarding the security of networks. The user can lay down a set of rules accordin
g to some information specific to packets, each rule describes the action for a packet
with certain information matched: “permit” or “deny”. The user can apply such rules to t
he incoming direction of switch ports, so that data streams in the incoming direction of
specified ports must comply with the ACL rules assigned.
45.1.1 Access-list
Access-list is a sequential collection of conditions that corresponds to a specific rul
e. Each rule consist of filter information and the action when the rule is matched. Infor
mation included in a rule is the effective combination of conditions such as source IP,
destination IP, IP protocol number and TCP port, UDP port. Access-lists can be categor
ized by the following criteria:
Filter information based criterion: IP access-list (layer 3 or higher information),
MAC access-list (layer 2 information), and MAC-IP access-list (layer 2 or layer
3 or higher).
Configuration complexity based criterion: standard and extended, the extended
mode allows more specific filtering of information.
Nomenclature based criterion: numbered and named.
Description of an ACL should cover the above three aspects.
45.1.2 Access-group
When a set of access-lists are created, they can be applied to traffic of incoming
direction on all ports. Access-group is the description to the binding of an access-list to
the incoming direction on a specific port. When an access-group is created, all packet
s from in the incoming direction through the port will be compared to the access-list rul
e to decide whether to permit or deny access.