Default acl action, Types of ip acls, Acl ids and entries – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual
Page 38
26
Brocade Virtual ADX Security Guide
53-1003250-01
Default ACL action
2
Default ACL action
The default action when no ACLs is configured on a device is to permit all traffic. However, once you
configure an ACL and apply it to a port, the default action for that port is to deny all traffic that is
not explicitly permitted on the port:
•
If you want to tightly control access, configure ACLs consisting of permit entries for the access
you want to permit. The ACLs implicitly deny all other access.
•
If you want to secure access in environments with many users, you might want to configure
ACLs that consist of explicit deny entries, then add an entry to permit all access to the end of
each ACL. The software permits packets that are not denied by the deny entries.
Types of IP ACLs
ACLs can be configured as standard or extended ACLs. A standard ACL permits or denies packets
based on source IP address. An extended ACL permits or denies packets based on source and
destination IP address and also based on IP protocol information.
Standard or extended ACLs can be numbered or named. Standard numbered ACLs have an idea of
1 – 99. Extended numbered ACLs are numbered 100 – 199. IDs for standard or extended ACLs can
be a character string. In this document, ACLs with a string ID is called a named ACL.
ACL IDs and entries
ACLs consist of ACL IDs and ACL entries:
•
ACL ID – An ACL ID is a number from 1 – 99 (for a standard ACL) or 100 – 199 (for an extended
ACL) or a character string. The ACL ID identifies a collection of individual ACL entries. When you
apply ACL entries to an interface, you do so by applying the ACL ID that contains the ACL entries
to the interface, instead of applying the individual entries to the interface. This makes applying
large groups of access filters (ACL entries) to interfaces simple.
NOTE
This is different from IP access policies. If you use IP access policies, you apply the individual
policies to interfaces.
•
ACL entry – An ACL entry are the filter commands associated with an ACL ID. These are also
called “statements”. The maximum number of ACL entries you can configure is a system-wide
parameter and depends on the device you are configuring. You can configure up to the
maximum number of entries in any combination in different ACLs. The total number of entries
in all ACLs cannot exceed the system maximum.
You configure ACLs on a global basis, then apply them to the incoming traffic on specific ports. You
can apply only one ACL to a port’s inbound traffic. The software applies the entries within an ACL in
the order they appear in the ACL configuration. As soon as a match is found, the software takes the
action specified in the ACL entry (permit or deny the packet) and stops further comparison for that
packet.