WESM zl Management and Configuration Guide WT.01.03 and greater
7-5
Access Control Lists (ACLs)
Overview
For all ACL types, rules include the following specifications:
■ precedence—the order in which the rule is processed
■ filters—the criteria by which a rule selects packets
■ operation—the action that the Wireless Edge Services zl Module takes
on traffic selected by a rule
All ACLs include an implicit “deny any” rule at the end. In other words, if traffic
does not match any of the ACL’s rules, the ACL drops the traffic. MAC standard
ACLs, which are configured as filters for local MAC authentication, are the
exception. They include an implicit “permit any” rule at the end. See “MAC
Filters (Local MAC Authentication)” on page 12-75 of Chapter 12: “Wireless
Network Management.”
Precedence
An ACL’s rules are processed in ascending numeric order until a “match” is
found for the packet or frame. When the Wireless Edge Services zl Module
matches traffic to the rule, the rule has “selected” the traffic. The module then
performs the operation defined for the rule.
Each ACL has a list of ordered rules separate from all other ACLs. For
example, two ACLs can each have one rule with a precedence value of 1.
Filters
Filters specify the information that a packet’s header must match. As dis-
cussed in “ACL Types” on page 7-3, valid fields depend on the ACL type. A
packet or frame must match every filter that you specify.
Rules for all ACL types can include these filters:
■ source address, either IP or MAC address
The filter can select:
• all addresses
• a single address
• a range of addresses, specified either by subnetwork address and
prefix length (for IP ACLs) or by mask (for MAC extended ACLs)
■ WLAN index number (from 1 through 256)
The traffic must arrive from this WLAN to match the rule. This setting is
optional and takes effect only for ACLs applied to physical interfaces. You
should only use it for the ACLs applied to the downlink port.