A SERVICE OF

logo

Open as PDF
next previous
ES-3100 Series Switch Support Notes
All contents copyright (c) 2006 ZyXEL Communications Corporation.
99
higher weight of parameter just gets the highest weight at all. For example, you
have defined the first classifier to have “Source Port” plus “Source Socket” as
your rule parameters; and your second classifier has only “Destination Socket”
as your rule parameter; at this time, since “Destination Socket” has a relative
high weight comparing to “Source Port” or “Source Socket”, thus the second
classifier will have a higher weight.
The higher the weight a classifier has, the higher the priority its related
policy rule can apply. A higher priority of policy rule can always overwrite a
lower priority of policy rule.
ACCESS CONTROL ACL Flow Example
In general, access control is done by assigning a policy for traffic at-large
and a specific policy for a subset. An example is if the network administrator
wants to deny all IP traffic originated from the subnet 192.168.3.xx, except for
ICMP traffic. The ICMP traffic is a subset of generic IP traffic. To implement
this policy, the ACL conflict resolution logic is required to handle this multiple
matching scenario.
In this scenario, all IP traffic originating from the 192.168.3.xx subnet is
discarded. This is implemented by the first rule, with the following:
Layer 3 protocol type = IP
IP source address = 192.168.3.0/24
Any packet matched is discarded as specified in ACTION—but if there is ICMP
traffic originated from the 192.168.3.xx subnet, they should be forwarded. This
is supported by the second rule, with the following:
Layer 3 protocol type = IP
Layer 4 protocol type = ICMP
IP source address = 192.168.3.0/24
The action of the second rule is not to discard the packet (Do not drop the
matching frame previously marked for dropping).
When two rules match a packet and the resulting actions are conflicting
(discard versus not-discard), a higher layer rule has priority over lower layer
rule. In this case, the action of the second rule (Layer 4) is carried out because
the first rule is only up to Layer 3.