3 wireless lan acls, 4 acl actions, 5 precedence order – Motorola Series Switch WS5100 User Manual

Switch Security

6-19

6.5.1.3 Wireless LAN ACLs

Wireless LAN ACLs filter/mark packets based on the wireless LAN from which they arrive rather than
filtering the packets arrived on L2 ports.

In general, a Wireless-LAN ACL can be used to filter wireless to wireless, wireless to wired and wired to
wireless traffic. Typical wired to wired traffic can be filtered using a L2 port based ACL rather than a WLAN
ACL.

Each WLAN is assumed to be a virtual L2 port. Configure one IP and one MAC ACL on the virtual WLAN port.
In contrast to L2 ACLs, a WLAN ACL can be enforced on both the Inbound and Outbound direction.

6.5.1.4 ACL Actions

Every ACE within an ACL is made up of an action and matching criteria. The action defines what to do with
the packet if it matches the specified matching criteria. The following types of actions are supported.

• deny— Instructs the ACL not to allow a packet to go to its destination.

• permit—Instructs the ACL to allows a packet to go to its destination.

• mark—Modifies certain fields inside the packet and then permits them. Hence mark is an action with an

implicit permit.

6.5.1.5 Precedence Order

The rules within an ACL are applied to packets based on their precedence values. Every rule has a unique
precedence value which can be between 1 and 5000. You cannot add two rules’s with the same precedence
value.

Consider the following when adding rules:

• Every ACL entry in an ACL is associated with a precedence value which is unique for every entry. You

cannot enter two different entries in an ACL with the same precedence value. This value can be between
1 and 5000. An ACE in an ACL is associated with a precedence value which is unique and no two ACE's
can have the same precedence value.

• Specifying a precedence value with each ACL entry is not mandatory. If you do not want to specify one,

the system automatically generates a precedence value starting with 10. Subsequent entries are added
with precedence values of 20, 30 and so on. 10 is the default offset between any two rules in an ACL.
However, if the user specifies a precedence value with an entry, that value overrides the default value.
The user can also add an entry in between two subsequent entries (for example, in between 10 and 20).

• If an entry with a max precedence value of 5000 exists, you cannot add a new entry with a higher

precedence value. In such a case, the system displays an error saying Rule with max precedence value
exists. Either delete that entry or add new entries with precedence values less than 5000. A user can add
a maximum of 500 ACE's in an ACL.

• Rules within an ACL are displayed in ascending order of precedence.

NOTE: Only a Port ACL supports the mark action. For Router ACLs, the mark action is
treated as a permit action and the packet is allowed without performing any
modifications.

NOTE: ACEs with lower precedence are always applied first to packets. Hence, it is
advised to add more specific entries in the ACL first then the general ones. While
displaying the ACL, the entries are displayed in ascending order of precedence.