Specifications
set security acl
Chapter 14
Security ACL Commands
465
Defaults
By default, permitted packets are classified based on DSCP value,
which is converted into an internal CoS value in the UNIVERGE WL Controllers
CoS map. The packet is then marked with a DSCP value based on the internal
CoS value. If the ACE contains the cos option, this option overrides the
UNIVERGE WL Controllers CoS map and marks the packet based on the ACE.
Access
Enabled.
Usage
The UNIVERGE WL Controller does not apply security ACLs until you
activate them with the commit security acl command and map them to a VLAN,
port, or virtual port, or to a user. If the UNIVERGE WL Controller is reset or
restarted, any ACLs in the edit buffer are lost.
You cannot perform ACL functions that include permitting, denying, or marking
with a Class of Service (CoS) level on packets with a multicast or broadcast
destination address.
The order of security ACEs in a security ACL is important. Once an ACL is
active, its ACEs are checked according to their order in the ACL. If an ACE
criterion is met, its action takes place and any ACEs that follow are ignored.
ACEs are listed in the order in which you create them, unless you move them. To
position security ACEs within a security ACL, use before editbuffer-index and
modify editbuffer-index.
Examples
The following command adds an ACE to security acl_123 that permits
packets from IP address 192.168.1.11/24 and counts the hits:
PROMPT# set security acl ip acl_123 permit 192.168.1.11 0.0.0.255 hits
The following command adds an ACE to acl_123 that denies packets from IP
address 192.168.2.11:
PROMPT# set security acl ip acl_123 deny 192.168.2.11 0.0.0.0
modify
editbuffer-index
Replaces an ACE in the security ACL with the new
ACE. Specify the number of the existing ACE in the
edit buffer. Index numbers start at 1. (To display the
edit buffer, use show security acl editbuffer.)
hits Tracks the number of packets that are filtered based on
a security ACL, for all mappings.