Access masks, Access lists – Extreme Networks Summit 300-48 User Manual
Page 108
108
Summit 300-48 Switch Software User Guide
Access Policies
shared multiple access control lists, using different lists of values to examine packets. The following
sections describe how to use access control lists.
Access Masks
There are between twelve and fourteen access masks available in the Summit 300-48, depending on
which features are enabled on the switch. Each access mask is created with a unique name and defines a
list of fields that will be examined by any access control list that uses that mask (and by any rate limit
that uses the mask).
An access mask consists of a combination of the following thirteen fields:
•
Ethernet destination MAC address
•
Ethernet source MAC address
•
VLANid
•
IP Type of Service (TOS) or DiffServ code point
•
Ethertype
•
IP protocol
•
IP destination address and netmask
•
Layer 4 destination port
•
IP source address and netmask
•
Layer 4 source port, or ICMP type and/or ICMP code
•
TCP session initiation bits (permit-established keyword)
•
Egress port
•
Ingress ports
An access mask can also have an optional, unique precedence number associated with it.
Access Lists
Each entry that makes up an access list contains a unique name and specifies a previously created
access mask. The access list also includes a list of values to compare with the incoming packets, and an
action to take for packets that match. When you create an access list, you must specify a value for each
of the fields that make up the access mask used by the list.
For packets that match a particular access control list, you can specify the following actions:
•
Drop
Drop the packets. Matching packets are not forwarded.
•
Permit-established
Drop the packet if it would initiate a new TCP session (see, “The permit-established Keyword” on
page 111).
•
Permit
Forward the packet. You can send the packet to a particular QoS profile, and modify the packet’s
802.1p value and/or DiffServe code point.