Access control list commands, Access control list commands -90, Ingress filteri – Asus GigaX2024SX User Manual

Access Control List Commands

frames (based on MAC address or Ethernet type). To filter packets, first create an
access list, add the required rules, specify a mask to modify the precedence in

hen bind the list to a specific port.

Access Control Lists
An ACL is a sequential list of permit or deny conditions that apply to IP addresses,

conditions in an ACL one by one. A packet will be

ccepted as soon as it matches a permit rule, or dropped as soon as it matches a

. If no rules match for a list of all permit rules, the packet is dropped; and

if no rules match for a list of all deny rules, the packet is accepted.

T
•

ACL) filters packets based on the source IP

ad
• Extended IP ACL mode (EXT-ACL) filters packets based on source or
destination IP address, as well as protocol type and protocol port number. If the
TCP protocol is specified, then you can also filter packets based on the TCP
co
•

ckets based on the source or destination

MAC address and the Ethernet frame type (RFC 1060).

T

ave up to 32 rules.

• Th

resource restrictions, the average number of rules bound

theports should not exceed 20.

e a mask for an ACL rule before you can bind it to a port or

ACL, and you attempt

bind the ACL to an interface for egress checking, the bind operation will fail.

•

ind

one IP ACL to any port and one MAC ACL globally for ingress filtering. In other
w

s

M

T
1. User-defined rules in the Ingress MAC ACL for ingress ports.

fined rules in the Ingress IP ACL for ingress ports.

3. Explicit default rule (permit any any) in the ingress IP ACL for ingress ports.

Access Control Lists (ACL) provide packet filtering for IP frames (based on
address, protocol, Layer 4 protocol port number or TCP control code) or any

which the rules are checked, and t

MAC addresses, or other more specific criteria. This switch tests ingress or
egress packets against the
a
deny rule

here are three filtering modes:

Standard IP ACL mode (STD-

dress.

ntrol code.

MAC ACL mode (MAC-ACL) filters pa

he following restrictions apply to ACLs:

• Each ACL can h

e maximum number of ACLs is 88.

• However, due to

• You must configur
setthe queue or frame priorities associated with the rule.
• The switch does not support the explicit “deny any any” rule for the egress IP
ACL or the egress MAC ACLs. If these rules are included in
to

This switch supports ACLs for ingress filtering only. However, you can only b

ords, only two ACLs can be bound to an interface - Ingress IP ACL and Ingres

AC ACL.

he order in which active ACLs are checked is as follows:

2. User-de

4-90