ACL overview
An access control list (ACL) is a container for rules that permit or deny network traffic based on criteria that you specify.
When a frame or packet is received or sent, the device compares its header fields against the rules in applied ACLs. This comparison is done according to a rule sequence, which you can specify. Based on the comparison, the device either forwards or drops the frame or packet.
The benefits of ACLs include the following:
- Provide security and traffic management.
- Monitor network and user traffic.
- Save network resources by classifying traffic.
- Protect against denial of service (DOS) attacks.
Regarding the range of filtering options, there are two types of ACL:
- Standard ACLs — Permit, deny, or hard-drop traffic according to source address only.
- Extended ACLs — Permit, deny, or hard-drop traffic according to source and destination addresses, as well as other parameters. For example, in an extended ACL, you can also filter by one or more of the following:
- Port name or number
- Protocol, for example TCP/UDP port name or number
- TCP flags
Regarding layer and protocol, ACL types are as follows:
For information on hardware-based filtering of IP subnet-based
directed broadcast and network-address traffic, refer to "IP broadcast ACLs
(bACLs)."
If SLX 9850 is configured as a
network packet-broker, user-defined ACLs (UDAs) are supported. For details, refer to
Extreme SLX-OS Network Packet Broker Configuration Guide:
