Access mask precedence numbers, Specifying a default rule – Extreme Networks Summit 300-48 User Manual

110

Summit 300-48 Switch Software User Guide

Access Policies

Access Mask Precedence Numbers

The access mask precedence number is optional, and determines the order in which each rule is
examined by the switch. Access control list entries are evaluated from highest precedence to lowest
precedence. Precedence numbers range from 1 to 25,600, with the number 1 having the highest precedence.
However, an access mask without a precedence specified has a higher precedence than any access mask
with a precedence specified. The first access mask defined without a specified precedence has the
highest precedence. Subsequent masks without a specified precedence have a lower precedence, and so
on.

Specifying a Default Rule

You can specify a default access control list to define the default access to the switch. You should use an
access mask with a low precedence for the default rule access control list. If no other access control list
entry is satisfied, the default rule is used to determine whether the packet is forwarded or dropped. If
no default rule is specified, the default behavior is to forward the packet.

NOTE

If your default rule denies traffic, you should not apply this rule to the Summit 300-48 port used as a
management port.

The following example shows an access control list that is used to specify an default rule to explicitly
deny all traffic:

create access-mask ingress_mask ports precedence 25000

create acess-list DenyAll ingress_mask ports 1:2-1:26 deny

After the default behavior of the access control list has been established, you can create additional
entries using precedence numbers.

The following access control list example shows an access control list that will forward traffic from the
10.1.2.x subnet even while the above default rule is in place:

create access-mask ip_src_mask source-ip/24 precedence 1000

create access-list TenOneTwo ip_src_mask source-ip 10.1.2.0/24 permit