Access Control

An Access Control List (ACL) allows you to define classification rules or establish criteria to provide security to your network by blocking unauthorized users and allowing authorized users to access specific areas or resources. ACLs can provide basic security for access to the network by controlling whether packets are forwarded or blocked at the switch ports. Access Control Lists (ACLs) are filters that allow you to classify data packets according to content in the packet header, such as the source address, destination address, source port number, destination port number, and more. Packet classifiers identify flows for more efficient processing. Each filter defines the conditions that must match for inclusion in the filter. ACLs (Access Control Lists) provide packet filtering for IP frames (based on the protocol, TCP/UDP port number or frame type) or layer 2 frames (based on any destination MAC address for unicast, broadcast, or multicast, or based on VLAN ID or VLAN tag priority). ACLs can be used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols. Policies can be used to differentiate service for client ports, server ports, network ports, or guest ports. They can also be used to strictly control network traffic by only allowing incoming frames that match the source MAC and source IP address on a specific port. ACLs are composed of Access Control Entries (ACEs), which are rules that determine traffic classifications. Each ACE is a considered a single rule, and up to 256 rules may be defined on each ACL, with up to 3000 rules globally. ACLs are used to provide traffic flow control, restrict contents of routing updates, and determine which types of traffic are forwarded or blocked. This criterion can be specified based on the MAC address or IP address.

MAC ACL

This page displays the currently defined MAC-based ACLs profiles. To add a new ACL, click Add and enter the name of the new ACL.

Items

Descriptions

Index

Profile identifier.

Name

Enter the MAC based ACL name. You can use up to 32 alphanumeric characters.

Click the Apply button to accept the changes or the Cancel button to discard them.

MAC ACE

Use this page to view and add rules to MAC-based ACLs.

Click the Add button to add new MAC ACE rule:

ACL Name

Select the ACL from the list.

Sequence

Enter the sequence number which signifies the order of the specified ACL relative to other ACLs assigned to the selected interface. The valid range is from 1 to 2147483647, 1 being processed first.

Action

Select what action to take if a packet matches the criteria.

Permit: Forward packets that meet the ACL criteria.

Deny: Drops packets that meet the ACL criteria.

Destination MAC Value

Enter the destination MAC address.

Destination MAC Wildcard Mask

Enter a MAC address mask for the destination MAC address. A mask of 00:00:00:00:00:00 means the bits must be matched exactly; ff:ff:ff:ff:ff:ff means the bits are irrelevant. Any combination of 0s and ffs can be used.

Source MAC Value

Enter the source MAC address.

Source MAC Wildcard Mask

Enter a MAC address mask for the source MAC address. A mask of 00:00:00:00:00:00 means the bits must be matched exactly; ff:ff:ff:ff:ff:ff means the bits are irrelevant. Any combination of 0s and ffs can be used.

VLAN ID

Enter the VLAN ID to which the MAC address is attached in MAC ACE. The range is from 1 to 4094.

802.1p Value

Enter the 802.1p value. The range is from 0 to 7.

Ethertype Value

Selecting this option instructs the switch to examine the Ethernet type value in each frame's header. This option can only be used to filter Ethernet II formatted packets. A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include 0800 (IP), 0806 (ARP), and 8137 (IPX).

Click the Apply button to accept the changes or the Cancel button to discard them.

IPv4 ACL

This page displays the currently defined IPv4-based ACLs profiles. To add a new ACL, click Add and enter the name of the new ACL.

Items

Descriptions

Index

Displays the current number of ACLs.

Name

Enter the IP based ACL name. You can use up to 32 alphanumeric characters.

Click the Apply button to accept the changes or the Cancel button to discard them.

IPv4 ACE

Use this page to view and add rules to IPv4-based ACLs.

Click the Add button to add new IPv4 ACE rule:

ACL Name

Select the ACL from the list for which a rule is being created.

Sequence

Action

Select what action to take if a packet matches the criteria.

Permit: Forwards packets that meet the ACL criteria.

Deny: Drops packets that meet the ACL criteria.

Protocol

Select Any, Protocol ID, or Select from a List in the drop-down menu.

Any: Check Any to use any protocol.

Protocol ID: Enter the protocol in the ACE to which the packet is matched.

Select from List: Selects the protocol from the list in the provided field.

ICMP: Internet Control Message Protocol (ICMP). The ICMP enables the gateway or destination host to communicate with the source host.
IPinIP: IP in IP encapsulates IP packets to create tunnels between two routers. This ensures that the IP in IP tunnel appears as a single interface, rather than several separate interfaces.
TCP: Transmission Control Protocol (TCP). Enables two hosts to communicate and exchange data streams. TCP guarantees packet delivery and guarantees that packets are transmitted and received in the order they are sent. EGP Exterior Gateway Protocol (EGP). Permits exchanging routing information between two neighboring gateway hosts in an autonomous systems network.
IGP: Interior Gateway Protocol (IGP). Enables a routing information exchange between gateways within an autonomous network.
UDP: User Datagram Protocol (UDP). UDP is a communication protocol that transmits packets but does not guarantee their delivery.
HMP: The Host Mapping Protocol (HMP) collects network information from various network hosts. HMP monitors hosts spread over the Internet as well as hosts in a single network.
RDP: Reliable Data Protocol (RDP). Provides a reliable data transport service for packet-based applications.
IPv6: Matches the packet to the IPV6 protocol.
IPv6: Rout: Routing Header for IPv6.
IPv6: Frag: Fragment Header for IPv6.
RVSP: Matches the packet to the ReSerVation Protocol(RSVP).
IPv6: ICMP: The Internet Control Message Protocol (ICMP) allows the gateway or destination host to communicate with the source host.
OSPF: The Open Shortest Path First (OSPF) protocol is a link-state hierarchical interior gateway protocol (IGP) for network routing Layer Two (2) tunneling protocols. It is an extension to the PPP protocol that enables ISPs to operate Virtual Private Networks (VPNs).
PIM: Matches the packet to Protocol Independent Multicast (PIM).
L2TP: Matches the packet to Internet Protocol (L2IP).

Destination IP Address Value

Enter the destination IP address.

Destination IP Mask

Enter the mask of the destination IP address.

Destination Port Range

Enter the destination port range.

Source IP Address Value

Enter the source IP address.

Source IP Mask

Enter the mask of the source IP address.

Source Port Range

Enter the source port range.

Flag Set

Select whether to handle each six TCP control flags; URG (Urgent), ACK (Acknowledgment), PSH (Push), RST (Reset), SYN (Synchronize), and FIN (Fin) from drop-down menu.

Don't Care: The ACE does not treat the TCP control flag.

Set: The packet with the TCP control flag being set matches the criteria.

Unset: The packet with the TCP control flag being unset matches the criteria.

DSCP

In Type of Service, select Any or DSCP to match from drop-down list. When DSCP to match is selected, enter the DSCP. The range is from 0 to 63.

ICMP

Select Any, Protocol ID, or Select from List from drop-down menu.

Protocol ID: Enter the protocol in the ACE to which the packet is matched. The range is from 0 to 255.

Select from List: Select the ICMP from the list in the provided field.

ICMP Code

Select Any or User Defined from drop-down menu. When User Defined is selected, enter the ICMP code value. The range is from 0 to 255.

Actions

Select Edit or Delete for this entry.

Click the Apply button to accept the changes or the Cancel button to discard them.

IPv6 ACL

This page displays the currently defined IPv6-based ACLs profiles. To add a new ACL, click Add and enter the name of the new ACL.

Items

Descriptions

Index

Displays the current number of ACLs.

Name

Enter the IPv6 based ACL name. You can use up to 32 alphanumeric characters.

Click the Apply button to accept the changes or the Cancel button to discard them.

IPv6 ACE

Allows IPv6 Based Access Control Entry (ACE) to be defined within a configured ACL.

Click the Add button to add new IPv6 ACE rule:

Items

Descriptions

ACL Name

Select the ACL from the list.

Sequence

Enter the sequence number which signifies the order of the specified ACL relative to other ACLs assigned to the selected interface. The valid range is from 1 to 2147483647, 1 being processed first.

Action

Select what action to take if a packet matches the criteria.

Permit: Forward packets that meet the ACL criteria.

Deny: Drops packets that meet the ACL criteria.

Protocol

Select the Any, Protocol ID, or Select from List from drop-down menu.

Protocol ID: Enter the protocol in the ACE to which the packet is matched.

Select from List: Select the protocol from the list in the provided field.

Destination IP Address Value

Enter the destination IP address.

Destination IP Prefix Length

Enter the prefix length of the destination IP address. The range is from 0 to 128.

Destination Port Range

Select Any or Range from the list. Enter the destination port that is matched to packets. The range is from 0 to 65535.

Source IP Address Value

Enter the source IP address.

Source IP Prefix Length

Enter the prefix length of the new source IP address. The range is from 0 to 128.

Source Port Range

Select Any or Range from the list. Enter the source port that is matched to packets. The range is from 0 to 65535.

Flag Set

Select whether to handle each six TCP control flags; URG (Urgent), ACK (Acknowledgment), PSH (Push), RST (Reset), SYN (Synchronize), and FIN (Fin) from drop-down menu.

Don't Care: The ACE does not treat the TCP control flag.

Set: The packet with the TCP control flag being set matches the criteria.

Unset: The packet with the TCP control flag being unset matches the criteria.

DSCP

Select Any or DSCP to match from drop-down list. When DSCP to match is selected, enter the DSCP. The range is from 0 to 63.

ICMP

Select Any, Protocol ID, or Select from List from drop-down menu.

Protocol ID: Enter the protocol in the ACE to which the packet is matched. The range is from 0 to 255.

Select from List: Select the ICMP from the list in the provided field.

ICMP Code

Select Any or User Defined from drop-down menu. When User Defined is selected, enter the ICMP code value. The range is from 0 to 255.

Actions

Select Edit or Delete for this entry.

Click the Apply button to accept the changes or the Cancel button to discard them.

Port Range

Use this section to configure specified port range.

Click the Apply button to accept the changes or the Cancel button to discard them.

Port Binding

When an ACL is bound to an interface, all the rules that have been defined for the ACL are applied to that interface. Whenever an ACL is assigned on a port or LAG, flows from that ingress or egress interface that do not match the ACL are matched to the default rule of dropping unmatched packets. To bind an ACL to an interface, simply select an interface and select the ACL(s) you wish to bind.

Click Edit to update the system settings.

Port

Select the port to which the ACLs are bound.

MAC ACL

Select the MAC ACL rule to apply to the port.

IPv4 ACL

Select the IPv4 ACL rule to apply to the port.

IPv6 ACL

Select the IPv6 ACL rule to apply to the port.

Click the Apply button to accept the changes or the Cancel button to discard them.