Configuring and managing security ACLs 409Nortel WLAN—Security Switch 2300 Series Configuration GuideSecurity ACL filtersA security ACL filters packets to restrict or permit network traffic. These filters can then be mapped by name to authen-ticated users, ports, VLANs, virtual ports, or Distributed APs. You can also assign a class-of-service (CoS) level thatmarks the packets matching the filter for priority handling.A security ACL contains an ordered list of rules called access control entries (ACEs), which specify how to handlepackets. An ACE contains an action that can deny the traffic, permit the traffic, or permit the traffic and apply to it aspecific CoS level of packet handling. The filter can include source and destination IP address information along withother Layer 3 and Layer 4 parameters. Action is taken only if the packet matches the filter.The order in which ACEs are listed in an ACL is important. WSS Software applies ACEs that are higher in the listbefore ACEs lower in the list. (See “Modifying a security ACL” (page 426).) An implicit “deny all” rule is alwaysprocessed as the last ACE of an ACL. If a packet matches no ACE in the entire mapped ACL, the packet is rejected. Ifthe ACL does not contain at least one ACE that permits access, no traffic is allowed.Plan your security ACL maps to ports, VLANs, virtual ports, and Distributed APs so that only one security ACL filters agiven flow of packets. If more than one security ACL filters the same traffic, WSS Software applies only the first ACLmatch and ignores any other matches. Security ACLs that are mapped to users have precedence over ACLs mapped toports, VLANs, virtual ports, or Distributed APs.You cannot perform ACL functions that include permitting, denying, or marking with a Class of Service (CoS) level onpackets with a multicast or broadcast destination address.