Parts of an acl, Guidelines, Parts of an acl guidelines – Allied Telesis AT-S63 User Manual
Page 295
AT-S63 Management Software Menus Interface User’s Guide
Section II: Advanced Operations
295
Here is an overview of how the process works.
1. When an ingress packet arrives on a port, it is checked against the
criteria in the classifiers of all the ACLs, both permit and deny,
assigned to the port.
2. If the packet matches the criteria of a permit ACL, the port immediately
accepts it, even if the packet also matches a deny ACL assigned to the
same port, because a permit ACL always overrides a deny ACL.
3. If a packet meets the criteria of a deny ACL but not any permit ACLs
on the port, then the packet is discarded.
4. Finally, if a packet does not meet the criteria of any ACLs on a port, it is
accepted by the port.
Parts of an ACL
To create an ACL, you need to provide the following information:
Name - An ACL needs a name. The name should reflect the type of
traffic flow the ACL will be filtering and, perhaps, also the action. An
example might be “HTTPS flow - permit.” The more specific the name,
the easier it will be for you to identify the different ACLs.
Action - An ACL can have one of two actions: permit or deny. An action
of permit means that the ingress packets matching the criteria in the
classifiers are to be accepted by the switch port. An action of deny
means any ingress packets meeting the criteria are to be discarded,
provided that the packets do not match any permit ACLs on the port.
Classifiers - An ACL needs one or more classifiers to define the traffic
flow whose packets you want the port to accept or reject. Each
classifier defines a different traffic flow. An ACL can have more than
one classifier to filter multiple traffic flows.
Port Lists - Finally, you need to specify the ports to which an ACL is to
be assigned.
Guidelines
Following are rules to observe when it comes to using ACLs:
A port can have multiple permit and deny ACLs.
An ACL must have at least one classifier.
An ACL can be assigned to more than one switch port.
An ACL filters ingress traffic, but not egress traffic.
The action of a ACL can be either permit or deny. A permit ACL
overrides a deny ACL on the same port.
It does not matter the order in which ACLs are added to a port since a
packet is compared against all of the ACLs on a port.