Enhancements
Release M.10.02 Enhancements
■Is it important to keep track of the number of matches for a particular client or ACE? If so, you can use the optional cnt (counter) feature in ACEs where you want to know this information. This is especially useful if you want to verify that the switch is denying unwanted client packets. (Note that configuring a high number of counters can exhaust the counter resources. Refer to Table 5 on page 57.)
Caution
ACLs can enhance network security by blocking selected IP traffic, and can serve as one aspect of maintaining network security. However, because ACLs do not provide user or device authentication, or protection from malicious manipulation of data carried in IP packet transmissions, they should not be relied upon for a complete security solution.
Planning the ACLs Needed To Enforce Traffic PoliciesThis section can help in understanding how to order the ACEs in a
Guidelines for Structuring a
■The sequence of ACEs is significant. When the switch uses an ACL to determine whether to permit or deny a packet on a particular port, it compares the packet to the criteria specified in the individual Access Control Entries (ACEs) in the ACL, beginning with the first ACE in the list and proceeding sequentially until a match is found. When a match is found, the switch applies the indicated action (permit or deny) to the packet. This is significant because, when a match is found for a packet, subsequent ACEs in the same ACL will not be used for that packet, regardless of whether they match the packet.
■Inbound Traffic Only:
■Result of an ACE/Packet Match: The first match of a given packet to an ACE dictates the action for that packet. Any subsequent match possibilities are ignored.
■Explicitly Permitting Any IP Traffic from the Authenticated Client: Entering a permit in ip from any to any (permit any any) ACE in a
55