Filter
Top Products
DES-7200 Configuration Guide Chapter 1 Access Control List
Configuration
1-3
Note
A inherent problem of all access lists is electric spoofing, the behavior
of providing spoof source addresses to deceive switches Even you
use the dynamic list, a spoofing problem occurs. During the valid
access period of an authenticated user, a hacker may use a
counterfeit user address and accesses the network. There are two
methods to resolve the problem. One method is to set free time for a
user to access the network as little as possible, making it hard for a
hacker to attack the network. Another method is to use the IPSEC
encryption protocol to encrypt network data, ensuring that all the data
entering switches are encrypted.
Access lists are usually configured in the following locations of network devices:
Devices between the inside network and outside network (such as the Internet)
Devices at the borders of two parts in a network
Devices on the access control port
The execution of the ACL statements must follow the order in the table strictly. Starting
from the first statement, once the header of a packet matches a conditional judge
statement in the table, the sequential statements are ignored.
1.1.4 Input/Output ACL, Filtering
Domain Template and Rule
When a device interface receives a message, the input ACL checks whether the
message matches an ACE of the ACL input on the interface. When a device interface
is ready to output a message, the output ACL checks whether the message matches
an ACE of the ACL output on the interface.
When detailed filtering rules are formulated, all or some of the above eight items may
be used. As long as the message matches one ACE, the ACL processes the message
as the ACE defined (permit or deny). The ACE of an ACL identifies Ethernet messages
according to some fields of Ethernet messages. The fields include the following:
Layer-2 fields:
48-bit source MAC address (all the 48 bits must be declared)
48-bit destination MAC address (all the 48 bits must be declared)
16-bit layer-2 type field
Layer 3 fields:
Source IP address field (you can specify all the 32 bits of the IP address, or
specify a type of streams of the defined subnet)
Destination IP address field (you can specify all the 32 bits of the IP address, or
specify a type of streams of the defined subnet)