WESM zl Management and Configuration Guide WT.01.XX and greater
7-7
Access Control Lists (ACLs)
Overview
Operation
The module takes one of the following actions on packets selected by a rule:
■ deny—the module drops the selected traffic
■ permit—the module forwards the selected traffic
■ mark—the module marks the selected traffic for a certain type of QoS
and forwards the traffic
Permit and Deny. These operations allow you to control users’ network
access.
Remember, the operation only affects traffic that meets all of the criteria of
the rule. Also, the operation is explicit. That is, the module performs the
operation on selected traffic, but does not perform the opposite action on
traffic that is not selected. Instead, the module attempts to match the traffic
against the next rule in order of precedence.
However, all ACLs include an implicit deny any rule at the end, which drops
all traffic not selected by other rules. In other words, traffic is permitted only
if explicitly permitted by one of the ACL’s rules. Therefore, whenever you
apply an ACL to an interface, make sure that you include a rule to permit all
traffic that you want the Wireless Edge Services zl Module to forward.
Mark. Besides deny and permit, a third operation is mark, which marks
traffic for a particular type of QoS or Type of Service (TOS). Marked traffic is
also forwarded. The mark operation only takes effect for ACLs applied to
physical interfaces.
Two protocols define QoS classes:
■ 802.1p—a mechanism for implementing QoS at Layer 2
802.1p divides traffic into different classes and provides expedited service
to traffic in higher-priority classes. Eight different classes of service (0
through 7) are available. The class is indicated in three bits of an 802.1Q
VLAN tag. Table 7-1 shows the type of service typically associated with
each 802.1p class. However, the actual treatment for each class is left to
your network implementation. The Wireless Edge Service zl Module
simply marks traffic for a particular class.