Manuals / Motorola / Computer Equipment / Switch

Motorola WS5100 ACL Overview, 6.5.1.1Router ACLs, •Router ACLs •Port ACLs •Wireless LAN ACLs

Models: WS5100

1 364
Download 364 pages 29.43 Kb
Page 241
Image 241
6.5.1 ACL Overview

Switch Security 6-17

6.5.1 ACL Overview

An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies an action and a set of conditions that a packet must satisfy in order to match the ACE. The order of conditions in the list is critical because the switch stops testing conditions after the first match.

The switch supports the following ACLs to filter traffic:

Router ACLs — Applied to VLAN (Layer 3) interfaces. These ACLs filter traffic based on Layer 3 parameters like source IP, destination IP, protocol types and port numbers. They are applied on packets routed through the switch. Router ACLs can be applied to inbound traffic only, not both directions.

Port ACLs— Applied to traffic entering a Layer 2 interface. Only switched packets are subjected to these kind of ACLs. Traffic filtering is based on Layer 2 parameters like–source MAC, destination MAC, Ethertype, VLAN-ID, 802.1p bits (OR) Layer 3 parameters like– source IP, destination IP, protocol, port number.

NOTE: Port and router ACLs can be applied only in an inbound direction. WLAN ACLs support applying ACLs in the inbound and outbound direction.

Wireless LAN ACLs - A Wireless LAN ACL is designed to filter/mark packets based on the wireless LAN from which they arrived rather than filtering the packets arrived on L2 ports.

For more information, see

Router ACLs

Port ACLs

Wireless LAN ACLs

ACL Actions

Precedence Order

6.5.1.1Router ACLs

Router ACLs are applied to Layer 3 or VLAN interfaces. If an ACL is already applied in a particular direction on an interface, applying a new one will replace the existing ACL. Router ACLs are applicable only if the switch acts as a gateway, and traffic is inbound only.

The switch supports two types of Router ACLs:

Standard IP ACL—Uses the source IP address as matching criteria.

Extended IP ACL—Uses the source IP address, destination IP address and IP protocol type as basic matching criteria. It can also include other parameters specific to a protocol type (like source and destination port for TCP/UDP protocols).

Router ACLs are stateful and are not applied on every packet that gets routed through the switch. Whenever a packet is received from a Layer 3 interface, it is examined against all the existing sessions to determine if it belongs to an established session. ACLs are applied on the packet in the following manner.

1.If the packet matches an existing session, it is not matched against ACL rules and the session decides where to send the packet.

2.If no existing sessions match the packet, it is matched against ACL rules to decide whether to accept it or reject it. If ACL rules accept the packet, a new session is created and all further packets belonging to that session are allowed. If ACL rules reject the packet, no session is established.

Page 240 Page 242
Page 241
Image 241
Motorola WS5100 manual ACL Overview, 6.5.1.1Router ACLs, •Router ACLs •Port ACLs •Wireless LAN ACLs
Page 240 Page 242