Switch Security 6-19

6.5.1.3Wireless LAN ACLs

Wireless LAN ACLs filter/mark packets based on the wireless LAN from which they arrive rather than filtering the packets arrived on L2 ports.

In general, a Wireless-LAN ACL can be used to filter wireless to wireless, wireless to wired and wired to wireless traffic. Typical wired to wired traffic can be filtered using a L2 port based ACL rather than a WLAN ACL.

Each WLAN is assumed to be a virtual L2 port. Configure one IP and one MAC ACL on the virtual WLAN port. In contrast to L2 ACLs, a WLAN ACL can be enforced on both the Inbound and Outbound direction.

6.5.1.4ACL Actions

Every ACE within an ACL is made up of an action and matching criteria. The action defines what to do with the packet if it matches the specified matching criteria. The following types of actions are supported.

deny— Instructs the ACL not to allow a packet to go to its destination.

permit—Instructs the ACL to allows a packet to go to its destination.

mark—Modifies certain fields inside the packet and then permits them. Hence mark is an action with an implicit permit.

NOTE: Only a Port ACL supports the mark action. For Router ACLs, the mark action is treated as a permit action and the packet is allowed without performing any modifications.

6.5.1.5Precedence Order

The rules within an ACL are applied to packets based on their precedence values. Every rule has a unique precedence value which can be between 1 and 5000. You cannot add two rules’s with the same precedence value.

Consider the following when adding rules:

Every ACL entry in an ACL is associated with a precedence value which is unique for every entry. You cannot enter two different entries in an ACL with the same precedence value. This value can be between 1 and 5000. An ACE in an ACL is associated with a precedence value which is unique and no two ACE's can have the same precedence value.

Specifying a precedence value with each ACL entry is not mandatory. If you do not want to specify one, the system automatically generates a precedence value starting with 10. Subsequent entries are added with precedence values of 20, 30 and so on. 10 is the default offset between any two rules in an ACL. However, if the user specifies a precedence value with an entry, that value overrides the default value. The user can also add an entry in between two subsequent entries (for example, in between 10 and 20).

If an entry with a max precedence value of 5000 exists, you cannot add a new entry with a higher precedence value. In such a case, the system displays an error saying Rule with max precedence value exists. Either delete that entry or add new entries with precedence values less than 5000. A user can add a maximum of 500 ACE's in an ACL.

Rules within an ACL are displayed in ascending order of precedence.

NOTE: ACEs with lower precedence are always applied first to packets. Hence, it is advised to add more specific entries in the ACL first then the general ones. While displaying the ACL, the entries are displayed in ascending order of precedence.

Page 243
Image 243
Motorola WS5100 manual Wireless LAN ACLs, ACL Actions, Precedence Order