WESM zl Management and Configuration Guide WT.01.28 and greater
1-39
Introduction
ProCurve Wireless Edge Services zl Module
MAC extended ACLs, like MAC standard ACLs, filter traffic according to informa-
tion in the Layer 2 header. However, the extended ACL provides many more options
for filters, including destination MAC address, 802.1p priority value, and the type of
encapsulated protocol. For example, you can permit IPv4 traffic but drop IPv6 traffic.
The IP ACLs operate at Layer 3. A standard IP ACL filters traffic according to source
IP address only. An extended IP ACL, on the other hand, examines many fields in the
Layer 3 IP header and even the Layer 4 TCP or UDP header. For example, an extended
IP ACL could select traffic associated with a particular application by specifying the
destination TCP or UDP port for that application.
Table 1-3 compares the various types of ACLs.
Table 1-3. ACL Types
The Wireless Edge Services zl Module applies an ACL to traffic that arrives on a
particular interface:
■ You can apply one IP ACL to a VLAN interface. It affects traffic that arrives on
the VLAN interface and is routed to another VLAN.
Traffic arrives on a VLAN interface in these two circumstances:
• The Wireless Edge Services zl Module maps a wireless frame to that VLAN.
In other words, the module decapsulates the frame received from a WLAN,
removes the 802.11 header, and adds an Ethernet header with a tag for that
VLAN. The VLAN assignment might originate in a static setting for the
entire WLAN or from a dynamic assignment received from a RADIUS
server.
Functionality Standard IP ACLs Extended IP ACLs MAC Standard ACLs MAC Extended ACL
Operates at Layer 3 Layer 3/4 Layer 2 Layer 2
Filters traffic
according to
source address • source address
• destination address
• protocol
• TCP or UDP source
port or destination
port
• ICMP type
source address • source address
• destination address
• encapsulated
protocol
Applies to traffic
on
• individual VLAN
interface
• physical interface
(uplink or
downlink port)
• individual VLAN
interface
• physical interface
(uplink or downlink
port)
physical interface (uplink
or downlink port)
physical interface
(uplink or downlink port)