Access Control
Last updated
Last updated
An Access Control List (ACL) allows you to define classification rules or establish criteria to provide security to your network by blocking unauthorized users and allowing authorized users to access specific areas or resources. ACLs can provide basic security for access to the network by controlling whether packets are forwarded or blocked at the switch ports. Access Control Lists (ACLs) are filters that allow you to classify data packets according to content in the packet header, such as the source address, destination address, source port number, destination port number, and more. Packet classifiers identify flows for more efficient processing. Each filter defines the conditions that must match for inclusion in the filter. ACLs (Access Control Lists) provide packet filtering for IP frames (based on the protocol, TCP/UDP port number or frame type) or layer 2 frames (based on any destination MAC address for unicast, broadcast, or multicast, or based on VLAN ID or VLAN tag priority). ACLs can be used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols. Policies can be used to differentiate service for client ports, server ports, network ports, or guest ports. They can also be used to strictly control network traffic by only allowing incoming frames that match the source MAC and source IP address on a specific port. ACLs are composed of Access Control Entries (ACEs), which are rules that determine traffic classifications. Each ACE is a considered a single rule, and up to 256 rules may be defined on each ACL, with up to 3000 rules globally. ACLs are used to provide traffic flow control, restrict contents of routing updates, and determine which types of traffic are forwarded or blocked. This criterion can be specified based on the MAC address or IP address.
This page displays the currently defined MAC-based ACLs profiles. To add a new ACL, click Add and enter the name of the new ACL.
Item
Description
Index
Profile identifier.
Name
Enter the MAC based ACL name. You can use up to 32 alphanumeric characters.
Use this page to view and add rules to MAC-based ACLs.
Click the Add button to add new MAC ACE rule:
Item
Description
ACL Name
Select the ACL from the list.
Sequence
Enter the sequence number which signifies the order of the specified ACL relative to other ACLs assigned to the selected interface. The valid range is from 1 to 2147483647, 1 being processed first.
Action
Select what action to take if a packet matches the criteria.
Permit: Forward packets that meet the ACL criteria.
Deny: Drops packets that meet the ACL criteria.
Destination MAC Value
Enter the destination MAC address.
Destination MAC Wildcard Mask
Enter a MAC address mask for the destination MAC address. A mask of 00:00:00:00:00:00 means the bits must be matched exactly; ff:ff:ff:ff:ff:ff means the bits are irrelevant. Any combination of 0s and ffs can be used.
Source MAC Value
Enter the source MAC address.
Source MAC Wildcard Mask
Enter a MAC address mask for the source MAC address. A mask of 00:00:00:00:00:00 means the bits must be matched exactly; ff:ff:ff:ff:ff:ff means the bits are irrelevant. Any combination of 0s and ffs can be used.
VLAN ID
Enter the VLAN ID to which the MAC address is attached in MAC ACE. The range is from 1 to 4094.
802.1p Value
Enter the 802.1p value. The range is from 0 to 7.
Ethertype Value
Selecting this option instructs the switch to examine the Ethernet type value in each frame's header. This option can only be used to filter Ethernet II formatted packets. A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include 0800 (IP), 0806 (ARP), and 8137 (IPX).
Item
Description
Index
Displays the current number of ACLs.
Name
Enter the IP based ACL name. You can use up to 32 alphanumeric characters.
This page displays the currently defined IPv4-based ACLs profiles. To add a new ACL, click Add and enter the name of the new ACL.
Use this page to view and add rules to IPv4-based ACLs.
Click the Add button to add new IPv4 ACE rule:
Item
Description
ACL Name
Select the ACL from the list for which a rule is being created.
Sequence
Enter the sequence number which signifies the order of the specified ACL relative to other ACLs assigned to the selected interface. The valid range is from 1 to 2147483647, 1 being processed first.
Action
Select what action to take if a packet matches the criteria.
Permit: Forwards packets that meet the ACL criteria.
Deny: Drops packets that meet the ACL criteria.
Protocol
Select Any, Protocol ID, or Select from a List in the drop-down menu.
Any: Check Any to use any protocol.
Protocol ID: Enter the protocol in the ACE to which the packet is matched.
Select from List: Selects the protocol from the list in the provided field.
ICMP: Internet Control Message Protocol (ICMP). The ICMP enables the gateway or destination host to communicate with the source host.
IPinIP: IP in IP encapsulates IP packets to create tunnels between two routers. This ensures that the IP in IP tunnel appears as a single interface, rather than several separate interfaces.
TCP: Transmission Control Protocol (TCP). Enables two hosts to communicate and exchange data streams. TCP guarantees packet delivery and guarantees that packets are transmitted and received in the order they are sent. EGP Exterior Gateway Protocol (EGP). Permits exchanging routing information between two neighboring gateway hosts in an autonomous systems network.
IGP: Interior Gateway Protocol (IGP). Enables a routing information exchange between gateways within an autonomous network.
UDP: User Datagram Protocol (UDP). UDP is a communication protocol that transmits packets but does not guarantee their delivery.
HMP: The Host Mapping Protocol (HMP) collects network information from various network hosts. HMP monitors hosts spread over the Internet as well as hosts in a single network.
RDP: Reliable Data Protocol (RDP). Provides a reliable data transport service for packet-based applications.
IPv6: Matches the packet to the IPV6 protocol.
IPv6: Rout: Routing Header for IPv6.
IPv6: Frag: Fragment Header for IPv6.
RVSP: Matches the packet to the ReSerVation Protocol(RSVP).
IPv6: ICMP: The Internet Control Message Protocol (ICMP) allows the gateway or destination host to communicate with the source host.
OSPF: The Open Shortest Path First (OSPF) protocol is a link-state hierarchical interior gateway protocol (IGP) for network routing Layer Two (2) tunneling protocols. It is an extension to the PPP protocol that enables ISPs to operate Virtual Private Networks (VPNs).
PIM: Matches the packet to Protocol Independent Multicast (PIM).
L2TP: Matches the packet to Internet Protocol (L2IP).
Destination IP Address Value
Enter the destination IP address.
Destination IP Mask
Enter the mask of the destination IP address.
Destination Port Range
Enter the destination port range.
Source IP Address Value
Enter the source IP address.
Source IP Mask
Enter the mask of the source IP address.
Source Port Range
Enter the source port range.
Flag Set
Select whether to handle each six TCP control flags; URG (Urgent), ACK (Acknowledgment), PSH (Push), RST (Reset), SYN (Synchronize), and FIN (Fin) from drop-down menu.
Don't Care: The ACE does not treat the TCP control flag.
Set: The packet with the TCP control flag being set matches the criteria.
Unset: The packet with the TCP control flag being unset matches the criteria.
DSCP
In Type of Service, select Any or DSCP to match from drop-down list. When DSCP to match is selected, enter the DSCP. The range is from 0 to 63.
ICMP
Select Any, Protocol ID, or Select from List from drop-down menu.
Protocol ID: Enter the protocol in the ACE to which the packet is matched. The range is from 0 to 255.
Select from List: Select the ICMP from the list in the provided field.
ICMP Code
Select Any or User Defined from drop-down menu. When User Defined is selected, enter the ICMP code value. The range is from 0 to 255.
Actions
Select Edit or Delete for this entry.
This page displays the currently defined IPv6-based ACLs profiles. To add a new ACL, click Add and enter the name of the new ACL.
Item
Description
Index
Displays the current number of ACLs.
Name
Enter the IPv6 based ACL name. You can use up to 32 alphanumeric characters.
Allows IPv6 Based Access Control Entry (ACE) to be defined within a configured ACL.
Click the Add button to add new IPv6 ACE rule:
Item
Description
ACL Name
Select the ACL from the list.
Sequence
Enter the sequence number which signifies the order of the specified ACL relative to other ACLs assigned to the selected interface. The valid range is from 1 to 2147483647, 1 being processed first.
Action
Select what action to take if a packet matches the criteria.
Permit: Forward packets that meet the ACL criteria.
Deny: Drops packets that meet the ACL criteria.
Protocol
Select the Any, Protocol ID, or Select from List from drop-down menu.
Protocol ID: Enter the protocol in the ACE to which the packet is matched.
Select from List: Select the protocol from the list in the provided field.
Destination IP Address Value
Enter the destination IP address.
Destination IP Prefix Length
Enter the prefix length of the destination IP address. The range is from 0 to 128.
Destination Port Range
Select Any or Range from the list. Enter the destination port that is matched to packets. The range is from 0 to 65535.
Source IP Address Value
Enter the source IP address.
Source IP Prefix Length
Enter the prefix length of the new source IP address. The range is from 0 to 128.
Source Port Range
Select Any or Range from the list. Enter the source port that is matched to packets. The range is from 0 to 65535.
Flag Set
Select whether to handle each six TCP control flags; URG (Urgent), ACK (Acknowledgment), PSH (Push), RST (Reset), SYN (Synchronize), and FIN (Fin) from drop-down menu.
Don't Care: The ACE does not treat the TCP control flag.
Set: The packet with the TCP control flag being set matches the criteria.
Unset: The packet with the TCP control flag being unset matches the criteria.
DSCP
Select Any or DSCP to match from drop-down list. When DSCP to match is selected, enter the DSCP. The range is from 0 to 63.
ICMP
Select Any, Protocol ID, or Select from List from drop-down menu.
Protocol ID: Enter the protocol in the ACE to which the packet is matched. The range is from 0 to 255.
Select from List: Select the ICMP from the list in the provided field.
ICMP Code
Select Any or User Defined from drop-down menu. When User Defined is selected, enter the ICMP code value. The range is from 0 to 255.
Actions
Select Edit or Delete for this entry.
Use this section to configure specified port range.
When an ACL is bound to an interface, all the rules that have been defined for the ACL are applied to that interface. Whenever an ACL is assigned on a port or LAG, flows from that ingress or egress interface that do not match the ACL are matched to the default rule of dropping unmatched packets. To bind an ACL to an interface, simply select an interface and select the ACL(s) you wish to bind.
Click Edit to update the system settings.
Item
Description
Port
Select the port to which the ACLs are bound.
MAC ACL
Select the MAC ACL rule to apply to the port.
IPv4 ACL
Select the IPv4 ACL rule to apply to the port.
IPv6 ACL
Select the IPv6 ACL rule to apply to the port.
Click the Apply button to accept the changes or the Cancel button to discard them.
Click the Apply button to accept the changes or the Cancel button to discard them.
Click the Apply button to accept the changes or the Cancel button to discard them.
Click the Apply button to accept the changes or the Cancel button to discard them.
Click the Apply button to accept the changes or the Cancel button to discard them.
Click the Apply button to accept the changes or the Cancel button to discard them.
Click the Apply button to accept the changes or the Cancel button to discard them.
Click the Apply button to accept the changes or the Cancel button to discard them.