1-1
1 ACL Configuration
When configuring ACL, go to these sections for information you are interested in:
z ACL Overview
z ACL Configuration Task List
z Displaying and Maintaining ACL Configuration
z Examples for Upper-layer Software Referencing ACLs
z Examples for Applying ACLs to Hardware
ACL Overview
As the network scale and network traffic are increasingly growing, security control and bandwidth
assignment play a more and more important role in network management. Filtering data packets can
prevent a network from being accessed by unauthorized users efficiently while controlling network
traffic and saving network resources. Access Control Lists (ACLs) are often used to filter packets with
configured matching rules.
Upon receiving a packet, the switch compares the packet with the rules of the ACL applied on the
current port to permit or discard the packet.
The rules of an ACL can be referenced by other functions that need traffic classification, such as QoS.
ACLs classify packets using a series of conditions known as rules. The conditions can be based on
source addresses, destination addresses and port numbers carried in the packets.
According to their application purposes, ACLs fall into the following four types.
z Basic ACL. Rules are created based on source IP addresses only.
z Advanced ACL. Rules are created based on the Layer 3 and Layer 4 information such as the
source and destination IP addresses, type of the protocols carried by IP, protocol-specific features,
and so on.
z Layer 2 ACL. Rules are created based on the Layer 2 information such as source and destination
MAC addresses, VLAN priorities, type of Layer 2 protocol, and so on.
z User-defined ACL. An ACL of this type matches packets by comparing the strings retrieved from
the packets with specified strings. It defines the byte it begins to perform “and” operation with the
mask on the basis of packet headers.
ACL Matching Order
An ACL can contain multiple rules, each of which matches specific type of packets. So the order in
which the rules of an ACL are matched needs to be determined.
The rules in an ACL can be matched in one of the following two ways:
z config: where rules in an ACL are matched in the order defined by the user.
z auto: where rules in an ACL are matched in the order determined by the system, namely the
“depth-first” rule (Layer 2 ACLs and user-defined ACLs do not support this feature).
For depth-first rule, there are two cases: