Wireless lan acls – Brocade Mobility RFS7000-GR Controller System Reference Guide (Supporting software release 4.1.0.0-040GR and later) User Manual
Page 338
324
Brocade Mobility RFS7000-GR Controller System Reference Guide
53-1001944-01
Configuring firewalls and access control lists
6
•
Extended IP ACL— Uses a source IP address, destination IP address and IP protocol type as
basic matching criteria. It can also include other parameters specific to a protocol type, like the
source and destination ports for TCP/UDP protocols.
•
MAC Extended ACL— Uses source and destination MAC addresses and VLAN ID. It optionally,
also uses Ethertype information.
Port ACLs are also stateful and are not applied on every packet switched through the switch.
Whenever a packet is received inbound, it is examined against existing sessions to determine if it
belongs to an established session. ACLs are applied on the packet in the following manner:
1. If the packet matches an existing session, it is not matched against ACL rules and the session
decides where to send the packet.
2. If no existing sessions match the packet, it is matched against ACL rules to determine whether
to accept or reject it. If ACL rules accept the packet, a new session is created and all further
packets belonging to that session are allowed. If ACL rules reject the packet, no session is
established.
A session is based on:
•
Source IP address
•
Destination IP address
•
Source Port
•
Destination Port
•
ICMP identifier
•
Incoming interface index
•
IP Protocol
•
Source MAC
•
Destination MAC
•
Ethertype
•
VLAN-ID
•
802.1p bits
When a Port ACL is applied to a trunk port, the ACL filters traffic on all VLANs present on the trunk
port. With Port ACLs, you can filter:
•
IP traffic by using IP ACL
•
Non-IP traffic by using MAC addresses.
Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL
and a MAC ACL to the interface.
You cannot apply more than one IP ACL and one MAC ACL to a Layer 2 interface. If an IP ACL or MAC
ACL is already configured on a Layer 2 interface and a new IP ACL or MAC ACL is applied to the
interface, the new ACL replaces the previously configured one.
Wireless LAN ACLs
Wireless LAN ACLs filter/mark packets based on the wireless LAN from which they arrive rather
than filtering packets on Layer 2 ports.