Access Control
An Access Control List (ACL) allows you to define classification rules or establish criteria to provide security to your network by blocking unauthorized users and allowing authorized users to access specific areas or resources. ACLs can provide basic security for access to the network by controlling whether packets are forwarded or blocked at the switch ports. Access Control Lists (ACLs) are filters that allow you to classify data packets according to content in the packet header, such as the source address, destination address, source port number, destination port number, and more. Packet classifiers identify flows for more efficient processing. Each filter defines the conditions that must match for inclusion in the filter. ACLs (Access Control Lists) provide packet filtering for IP frames (based on the protocol, TCP/UDP port number or frame type) or layer 2 frames (based on any destination MAC address for unicast, broadcast, or multicast, or based on VLAN ID or VLAN tag priority). ACLs can be used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols. Policies can be used to differentiate service for client ports, server ports, network ports, or guest ports. They can also be used to strictly control network traffic by only allowing incoming frames that match the source MAC and source IP address on a specific port. ACLs are composed of Access Control Entries (ACEs), which are rules that determine traffic classifications. Each ACE is a considered a single rule, and up to 256 rules may be defined on each ACL, with up to 3000 rules globally. ACLs are used to provide traffic flow control, restrict contents of routing updates, and determine which types of traffic are forwarded or blocked. This criterion can be specified based on the MAC address or IP address.
MAC ACL
This page displays the currently defined MAC-based ACLs profiles. To add a new ACL, click Add and enter the name of the new ACL.
Items | Descriptions |
Index | Profile identifier. |
Name | Enter the MAC based ACL name. You can use up to 32 alphanumeric characters. |
MAC ACE
Use this page to view and add rules to MAC-based ACLs.
Click the Add button to add new MAC ACE rule:
ACL Name | Select the ACL from the list. |
Sequence | Enter the sequence number which signifies the order of the specified ACL relative to other ACLs assigned to the selected interface. The valid range is from 1 to 2147483647, 1 being processed first. |
Action | Select what action to take if a packet matches the criteria. Permit: Forward packets that meet the ACL criteria. Deny: Drops packets that meet the ACL criteria. |
Destination MAC Value | Enter the destination MAC address. |
Destination MAC Wildcard Mask | Enter a MAC address mask for the destination MAC address. A mask of 00:00:00:00:00:00 means the bits must be matched exactly; ff:ff:ff:ff:ff:ff means the bits are irrelevant. Any combination of 0s and ffs can be used. |
Source MAC Value | Enter the source MAC address. |
Source MAC Wildcard Mask | Enter a MAC address mask for the source MAC address. A mask of 00:00:00:00:00:00 means the bits must be matched exactly; ff:ff:ff:ff:ff:ff means the bits are irrelevant. Any combination of 0s and ffs can be used. |
VLAN ID | Enter the VLAN ID to which the MAC address is attached in MAC ACE. The range is from 1 to 4094. |
802.1p Value | Enter the 802.1p value. The range is from 0 to 7. |
Ethertype Value | Selecting this option instructs the switch to examine the Ethernet type value in each frame's header. This option can only be used to filter Ethernet II formatted packets. A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include 0800 (IP), 0806 (ARP), and 8137 (IPX). |
IPv4 ACL
This page displays the currently defined IPv4-based ACLs profiles. To add a new ACL, click Add and enter the name of the new ACL.
Items | Descriptions |
Index | Displays the current number of ACLs. |
Name | Enter the IP based ACL name. You can use up to 32 alphanumeric characters. |
IPv4 ACE
Use this page to view and add rules to IPv4-based ACLs.
Click the Add button to add new IPv4 ACE rule:
ACL Name | Select the ACL from the list for which a rule is being created. |
Sequence | Enter the sequence number which signifies the order of the specified ACL relative to other ACLs assigned to the selected interface. The valid range is from 1 to 2147483647, 1 being processed first. |
Action | Select what action to take if a packet matches the criteria. Permit: Forwards packets that meet the ACL criteria. Deny: Drops packets that meet the ACL criteria. |
Protocol | Select Any, Protocol ID, or Select from a List in the drop-down menu. Any: Check Any to use any protocol. Protocol ID: Enter the protocol in the ACE to which the packet is matched. Select from List: Selects the protocol from the list in the provided field.
|
Destination IP Address Value | Enter the destination IP address. |
Destination IP Mask | Enter the mask of the destination IP address. |
Destination Port Range | Enter the destination port range. |
Source IP Address Value | Enter the source IP address. |
Source IP Mask | Enter the mask of the source IP address. |
Source Port Range | Enter the source port range. |
Flag Set | Select whether to handle each six TCP control flags; URG (Urgent), ACK (Acknowledgment), PSH (Push), RST (Reset), SYN (Synchronize), and FIN (Fin) from drop-down menu. Don't Care: The ACE does not treat the TCP control flag. Set: The packet with the TCP control flag being set matches the criteria. Unset: The packet with the TCP control flag being unset matches the criteria. |
DSCP | In Type of Service, select Any or DSCP to match from drop-down list. When DSCP to match is selected, enter the DSCP. The range is from 0 to 63. |
ICMP | Select Any, Protocol ID, or Select from List from drop-down menu. Protocol ID: Enter the protocol in the ACE to which the packet is matched. The range is from 0 to 255. Select from List: Select the ICMP from the list in the provided field. |
ICMP Code | Select Any or User Defined from drop-down menu. When User Defined is selected, enter the ICMP code value. The range is from 0 to 255. |
Actions | Select Edit or Delete for this entry. |
IPv6 ACL
This page displays the currently defined IPv6-based ACLs profiles. To add a new ACL, click Add and enter the name of the new ACL.
Items | Descriptions |
Index | Displays the current number of ACLs. |
Name | Enter the IPv6 based ACL name. You can use up to 32 alphanumeric characters. |
IPv6 ACE
Allows IPv6 Based Access Control Entry (ACE) to be defined within a configured ACL.
Click the Add button to add new IPv6 ACE rule:
Items | Descriptions |
ACL Name | Select the ACL from the list. |
Sequence | Enter the sequence number which signifies the order of the specified ACL relative to other ACLs assigned to the selected interface. The valid range is from 1 to 2147483647, 1 being processed first. |
Action | Select what action to take if a packet matches the criteria. Permit: Forward packets that meet the ACL criteria. Deny: Drops packets that meet the ACL criteria. |
Protocol | Select the Any, Protocol ID, or Select from List from drop-down menu. Protocol ID: Enter the protocol in the ACE to which the packet is matched. Select from List: Select the protocol from the list in the provided field. |
Destination IP Address Value | Enter the destination IP address. |
Destination IP Prefix Length | Enter the prefix length of the destination IP address. The range is from 0 to 128. |
Destination Port Range | Select Any or Range from the list. Enter the destination port that is matched to packets. The range is from 0 to 65535. |
Source IP Address Value | Enter the source IP address. |
Source IP Prefix Length | Enter the prefix length of the new source IP address. The range is from 0 to 128. |
Source Port Range | Select Any or Range from the list. Enter the source port that is matched to packets. The range is from 0 to 65535. |
Flag Set | Select whether to handle each six TCP control flags; URG (Urgent), ACK (Acknowledgment), PSH (Push), RST (Reset), SYN (Synchronize), and FIN (Fin) from drop-down menu. Don't Care: The ACE does not treat the TCP control flag. Set: The packet with the TCP control flag being set matches the criteria. Unset: The packet with the TCP control flag being unset matches the criteria. |
DSCP | Select Any or DSCP to match from drop-down list. When DSCP to match is selected, enter the DSCP. The range is from 0 to 63. |
ICMP | Select Any, Protocol ID, or Select from List from drop-down menu. Protocol ID: Enter the protocol in the ACE to which the packet is matched. The range is from 0 to 255. Select from List: Select the ICMP from the list in the provided field. |
ICMP Code | Select Any or User Defined from drop-down menu. When User Defined is selected, enter the ICMP code value. The range is from 0 to 255. |
Actions | Select Edit or Delete for this entry. |
Port Range
Use this section to configure specified port range.
Port Binding
When an ACL is bound to an interface, all the rules that have been defined for the ACL are applied to that interface. Whenever an ACL is assigned on a port or LAG, flows from that ingress or egress interface that do not match the ACL are matched to the default rule of dropping unmatched packets. To bind an ACL to an interface, simply select an interface and select the ACL(s) you wish to bind.
Click Edit to update the system settings.
Port | Select the port to which the ACLs are bound. |
MAC ACL | Select the MAC ACL rule to apply to the port. |
IPv4 ACL | Select the IPv4 ACL rule to apply to the port. |
IPv6 ACL | Select the IPv6 ACL rule to apply to the port. |
Last updated