R3204P16-HP Load Balancing Module Security Configuration Guide-6PW101
46
ACL configuration
NOTE:
A
CLs refer to IPv4 ACLs throughout this document.
ACL overview
An access control list (ACL) is a set of rules (or permit or deny statements) for identifying traffic based on
criteria such as source IP address, destination IP address, and port number.
ACLs are primarily used for packet filtering. You can use ACLs in firewall, routing, and other feature
modules for identifying traffic. The packet drop or forwarding decisions varies with the modules that use
ACLs.
ACL categories
Cate
g
or
y
ACL number IP version
Match criteria
Basic ACLs 2000 to 2999 IPv4 Source IPv4 address
Advanced ACLs 3000 to 3999 IPv4
Source IPv4 address, destination IPv4 address,
packet priority, protocols over IPv4, and other
Layer 3 and Layer 4 header fields
Ethernet frame
header ACLs
4000 to 4999 IPv4
Layer 2 header fields, such as source and
destination MAC addresses, 802.1p priority,
and link layer protocol type
ACL numbering and naming
Each ACL category has a unique range of ACL numbers. When creating an ACL, you must assign it a
number. In addition, you can assign the ACL a name for the ease of identification. After creating an ACL
with a name, you can neither rename it nor delete its name.
For an Ethernet frame header ACL, the ACL number and name must be globally unique. For an IPv4 basic
or advanced ACLs, its ACL number and name must be unique among all IPv4 ACLs.
Match order
The rules in an ACL are sorted in a specific order. When a packet matches a rule, the device stops the
match process and performs the action defined in the rule. If an ACL contains overlapping or conflicting
rules, the matching result and action to take depend on the rule order.
The following ACL match orders are available:
• config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a
rule with a higher ID. If you use this approach, carefully check the rule content and order.