How access control lists work, Access mask precedence numbers, Specifying a default rule – Extreme Networks 200 Series User Manual

118

Summit 200 Series Switch Installation and User Guide

Access Policies

How Access Control Lists Work

When a packet arrives on an ingress port, the fields of the packet corresponding to an access mask are
compared with the values specified by the associated access lists to determine a match.

It is possible that a packet will match more than one access control list. If the resulting actions of all the
matches do not conflict, they will all be carried out. If there is a conflict, the actions of the access list
using the higher precedence access mask are applied. When a match is found, the packet is processed. If
the access list is of type deny, the packet is dropped. If the list is of type permit, the packet is
forwarded. A permit access list can also apply a QoS profile to the packet and modify the packet’s
802.1p value and the DiffServe code point.

Access Mask Precedence Numbers

The access mask precedence number determines the order in which each rule is examined by the switch
and is optional. Access control list entries are evaluated from highest precedence to lowest precedence.
Precedence numbers range from 1 to 25,600, with the number 1 having the highest precedence, but an access
mask without a precedence specified has a higher precedence than any access mask with a precedence
specified. The first access mask defined without a specified precedence has the highest precedence.
Subsequent masks without a specified precedence have a lower precedence, and so on.

Specifying a Default Rule

You can specify a default access control list to define the default access to the switch. You should use an
access mask with a low precedence for the default rule access control list. If no other access control list
entry is satisfied, the default rule is used to determine whether the packet is forwarded or dropped. If
no default rule is specified, the default behavior is to forward the packet.

NOTE

If your default rule denies traffic, you should not apply this rule to the Summit 200 series switch port
used as a management port.

The following example shows an access control list that is used to specify an default rule to explicitly
deny all traffic:

create access-mask ingress_mask ports precedence 25000

create acess-list DenyAll ingress_mask ports 2-26 deny

Once the default behavior of the access control list is established, you can create additional entries using
precedence numbers.

The following access control list example shows an access control list that will forward traffic from the
10.1.2.x subnet even while the above default rule is in place:

create access-mask ip_src_mask source-ip/24 precedence 1000

create access-list TenOneTwo ip_src_mask source-ip 10.1.2.0/24 permit

The

permit-established

Keyword

The

permit-established

keyword is used to directionally control attempts to open a TCP session.

Session initiation can be explicitly blocked using this keyword.