3Com 3848 Implementation Guide - Page 77

Access Control Lists 77 Access Control Lists Access Control Lists are a set of instructions that can be applied to filter traffic on VLANs. They can be used to limit access to certain segments of the network and therefore, are useful for network security. Access Control Lists can be used to: ■ Prevent unnecessary network traffic. ■ Restrict access to proprietary information within the network. Access Control Lists are based on a series of rules. Rules are applied to VLANs and determine the path or access limitations for packets received on a VLAN. When a packet is received on a VLAN, it is compared to an access list for this VLAN. If a match is found; meaning the packet falls under the rule, it will be blocked or forwarded to the appropriate VLAN depending on the action. Rules are established based on IP addressing. A packet matches an access list rule when it's destination IP address falls with the values of the rule. When a match is found, the path the packet takes is determined by the rule and is either forwarded (permitted) or dropped (denied). There are a maximum of 100 access lists that can be applied under the current operating system. Access list rules can be applied and traffic is forwarded at wire speed using layer 3 destination IP addresses and VLANs. How Access Control List Rules Work When a packet is received it is compared against the VLAN access list. The access list rules are applied to a range of IP addresses and are defined by the destination IP address and a mask. If a match is found in the access list the appropriate action is taken. By default, if no access list has been defined for a VLAN, all IP traffic will be permitted. Denial is based on a pre-defined rule. For example: Packet destination IP address: 10.101.67.45 Rule destination address: 10.101.67.0 Rule destination mask: 255.255.255.0 Rule action: deny