XGS-5240-Series User Manual

Table Of Contents
Configuration Guide of XGS-5240-Series
46-1
Chapter 46 Self-defined ACL
Configuration
46.1 Introduction to Self-defined ACL
ACL (Access Control Lists) is a packet filtering mechanism implemented by switch,
providing network access control by granting or denying access the switches, effectively
safeguarding the security of networks. The user can set a set of rules according to so
me information specific to packets, each rule describes the action for a packet with cert
ain information matched: “permit” or “deny”. The user can apply such rules to the inco
ming direction of switch ports, so that data streams of specified ports must comply with
the ACL rules assigned.
Self-defined ACL means that users can configure several self-defined windows as t
he matching field when users configure ACL. Self-defined windows do not specify which
field definitely, but specify the offset in a packet and ignore the meaning of field. It m
atches the data at offset position which begins to fix the byte length according to the v
alue and mask configuration.
46.1.1 Standard Self-defined ACL Template
Standard self-defined ACL can configure 8 windows. Each window can specify offse
t, its value from 0 to 31, unit is 2Bytes, namely, 0 means 0Bytes offset and 1 means
2Bytes offset. Besides, offset is according to the start offset position.
A standard self-defined ACL template should be configured for the offset configurati
on of every window before configuring the standard self-defined ACL list. This template
is global and takes effect to all standard self-defined ACL list. Standard self-defined A
CL template can configure the offset for 8 windows at most. The window which is not
configured is not available, that means it cannot transmit configuration successfully if th
e standard self-defined ACL use this window. When a window in the template is config
ured, it cannot be modified if the standard self-defined ACL rule is configured with this
window. But the standard self-defined ACL rule is not configured; the window can be re
configured, modified or deleted. When uses it with other functions (such as AM, ARP-G
UARP, anti-arpscan), please reduce using the window and keep them for 8 or less tha
n it.