Acl actions, Precedence order – Brocade Mobility RFS7000-GR Controller System Reference Guide (Supporting software release 4.1.0.0-040GR and later) User Manual
Page 339
Brocade Mobility RFS7000-GR Controller System Reference Guide
325
53-1001944-01
Configuring firewalls and access control lists
6
In general, a Wireless-LAN ACL can be used to filter wireless to wireless, wireless to wired and wired
to wireless traffic. Typical wired to wired traffic can be filtered using a Layer 2 port based ACL rather
than a WLAN ACL.
Each WLAN is assumed to be a virtual Layer 2 port. Configure one IP and one MAC ACL on the
virtual WLAN port. In contrast to Layer 2 ACLs, a WLAN ACL can be enforced on both the Inbound
and Outbound direction.
ACL actions
Every ACE within an ACL is made up of an action and matching criteria. The action defines what to
do with the packet if it matches the specified criteria. The following actions are supported:
•
deny— Instructs the ACL not to allow a packet to proceed to its destination.
•
permit—Instructs the ACL to allows a packet to proceed to its destination.
•
mark—Modifies certain fields inside the packet and then permits them. Therefore, mark is an
action with an implicit permit.
•
VLAN 802.1p priority.
•
TOS/DSCP bits in the IP header.
NOTE
A Permit All ACL is not supported when using NTP. If a Permit All ACL is used with NTP, the client will
not be able to synchronize with the NTP server.
NOTE
Only a Port ACL supports a mark action. With Router ACLs, a mark is treated as a permit and the
packet is allowed without modifications.
Precedence order
The rules within an ACL are applied to packets based on their precedence values. Every rule has a
unique precedence value between 1 and 5000. You cannot add two rules’s with the same
precedence value.
Consider the following when adding rules:
•
Every ACL entry in an ACL is associated with a precedence value unique for every entry. You
cannot enter two different entries in an ACL with the same precedence value. This value can
be between 1 and 5000. An ACE in an ACL is associated with a unique precedence value. No
two ACE's can have the same precedence value.
•
Specifying a precedence value with each ACL entry is not mandatory. If you do not want to
specify one, the system automatically generates a precedence value starting with 10.
Subsequent entries are added with precedence values of 20, 30 and so on. 10 is the default
offset between any two rules in an ACL. However, if the user specifies a precedence value with
an entry, that value overrides the default value. The user can also add an entry in between two
subsequent entries (for example, in between 10 and 20).
•
If an entry with a max precedence value of 5000 exists, you cannot add a new entry with a
higher precedence value. In such a case, the system displays an error stating “Rule with max
precedence value exists”. Either delete the entry or add new entries with precedence values
less than 5000. A user can add a maximum of 500 ACE's in an ACL.
•
Rules within an ACL are displayed in an ascending order of precedence.