Routing access policies, Using access control lists, Access masks – Extreme Networks 200 Series User Manual
Page 118: Access lists
116
Summit 200 Series Switch Installation and User Guide
Access Policies
Routing Access Policies
Routing access policies are used to control the advertisement or recognition of routing protocols, such as
RIP or OSPF. Routing access policies can be used to ‘hide’ entire networks, or to trust only specific
sources for routes or ranges of routes. The capabilities of routing access policies are specific to the type
of routing protocol involved, but are sometimes more efficient and easier to implement than access lists.
Using Access Control Lists
Each access control list consists of an access mask that selects which fields of each incoming packet to
examine, and a list of values to compare with the values found in the packet. Access masks can be
shared multiple access control lists, using different lists of values to examine packets. The following
sections describe how to use access control lists.
Access Masks
There are between twelve and fourteen access masks available in the Summit 200 series switch,
depending on which features are enabled on the switch. Each access mask is created with a unique
name and defines a list of fields that will be examined by any access control list that uses that mask
(and by any rate limit that uses the mask).
An access mask consists of a combination of the following thirteen fields:
•
Ethernet destination MAC address
•
Ethernet source MAC address
•
VLANid
•
IP Type of Service (TOS) or DiffServ code point
•
Ethertype
•
IP protocol
•
IP destination address and netmask
•
Layer 4 destination port
•
IP source address and netmask
•
Layer 4 source port, or ICMP type and/or ICMP code
•
TCP session initiation bits (permit-established keyword)
•
Egress port
•
Ingress ports
An access mask can also have an optional, unique precedence number associated with it.
Access Lists
Each entry that makes up an access list contains a unique name and specifies a previously created
access mask. The access list also includes a list of values to compare with the incoming packets, and an
action to take for packets that match. When you create an access list, you must specify a value for each
of the fields that make up the access mask used by the list.