Access control list (acl) overview – Allied Telesis AT-S63 User Manual

Chapter 15: Access Control Lists

304

Section II: Advanced Operations

Access Control List (ACL) Overview

An ACL is a tool for managing network traffic. You can use this feature to
control which ingress packets a port will accept and which it will reject.

One of the benefits of this feature is that it can add to network security. An
ACL can protect parts of a network from unauthorized access by allowing
only permitted traffic to enter the port. An ACL can explicitly state which
traffic is permitted to enter a switch port and which is to be discarded.

ACLs can also enhance network performance by creating network links
dedicated to carrying specific types of traffic, while banning all other traffic.
This provides the permitted traffic a higher priority by virtue of having its
own dedicated network path.

This feature can also be used to achieve load-balancing by creating
dedicated links for different types or categories of traffic. This too can
result in enhanced network performance by distributing different types of
network traffic across multiple physical links.

Note

This feature is not related to the management ACL feature,
described in Chapter 37, “Management Access Control List” on
page 841. They perform different functions and are configured in
different ways.

The heart of an ACL is a classifier. A classifier, as explained “Classifier
Overview” on page 284, defines packets that share a common trait.
Packets that share a trait are referred to as a traffic flow. A traffic flow can
be very broad, such as all IP packets, or very specific, such as packets
from a specific end node destined for another specific node. You specify
the traffic using different criteria, such as source and destination MAC
addresses or protocol.

When you create an ACL, you are asked to specify the classifier that
defines the traffic flow you want to permit or deny on a port.

There are two kinds of ACLs based on the two actions that an ACL can
perform. One is called a permit ACL. Packets that meet the criteria in a
permit ACL are accepted by a port.

The second type of ACL is a deny ACL. This type of ACL will deny entry to
packets that meet the criteria of its classifiers, unless the packet also
meets the criteria of a permit ACL on the same port, in which case the
packet is accepted. This is because a permit ACL overrides a deny ACL.