WESM zl Management and Configuration Guide WT.01.XX and greater
7-3
Access Control Lists (ACLs)
Overview
ACL Types
The Wireless Edge Services zl Module supports two basic ACL types:
■ IP ACLs—based on the IP header (Layer 3)
IP ACLs control traffic inbound on an interface. They can apply to the
Wireless Edge Services zl Module’s virtual LAN (VLAN) interfaces or to
its two physical interfaces: the internal uplink and downlink ports. If
applied to a VLAN interace, the IP ACLs control routed traffic. If applied
to a physical port, the IP ACLs control inbound traffic on all VLANs tagged
for that interface.
■ MAC ACLs—based on the Media Access Control (MAC) header (Layer 2)
Standard MAC ACLs are used for MAC authentication. You can apply
extended MAC ACLs to the module’s physical interfaces, but not to its
VLAN interfaces. Like IP ACLs, the extended MAC ACLs affect inbound
traffic.
Both types of ACLs include two subtypes: standard and extended.
Standard IP ACLs
Standard IP ACLs permit and deny traffic according to source IP addresses.
They match inbound traffic based on the following IP header fields:
■ source IP address—either any IP address, an individual (“host”) IP
address, or all IP addresses in a particular subnetwork
■ WLAN index—the index number (1 through 256) of the WLAN through
which the packet arrived (for physical interfaces only)
You can apply a standard IP ACL to inbound traffic on either a logical (VLAN
or tunnel) interface or a physical (internal uplink or downlink) interface.
When you apply an ACL to a logical interface, the traffic must be routed to be
filtered.
Extended IP ACLs
Extended IP ACLs can permit and deny traffic according to more sophisticated
criteria than standard IP ACLs. They match inbound traffic based on the
following IP header fields:
■ source and destination IP address—either any IP address, an individ-
ual (“host”) IP address, or all IP addresses in a particular subnetwork
■ ICMP message type and code