Access Control Lists (ACL) provide packet filtering for IPv4/IPv6 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on address, DSCP traffic class, or next header type), or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port.
Configuring Access Control Lists -
An ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria. This switch tests ingress or egress packets against the conditions in an ACL one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If no rules match, the packet is accepted.
Use the Security > ACL (Configure ACL - Show TCAM) page to show utilization parameters for TCAM (Ternary Content Addressable Memory), including the number policy control entries in use, the number of free entries, and the overall percentage of TCAM in use.
Command Usage
Policy control entires (PCEs) are used by various system functions which rely on rule-based searches, including Access Control Lists (ACLs), IP Source Guard filter rules, Quality of Service (QoS) processes, QinQ, MAC-based VLANs, or traps.
For example, when binding an ACL to a port, each rule in an ACL will use two PCEs; and when setting an IP Source Guard filter rule for a port, the system will also use two PCEs.
Command Attributes
Abbreviation for processes shown in the TCAM List.
Stack unit identifier.
Memory chip used for indicated pools.
Rule slice (or call group). Each slice has a fixed number of rules that are used for the specified features.
The maximum number of policy control entries allocated to the each pool.
The number of policy control entries used by the operating system.
The number of policy control entries available for use.
The processes assigned to each pool.
Use the Security > ACL (Configure ACL - Add) page to create an ACL.
Name of the ACL. (Maximum length: 32 characters)
The following filter modes are supported:
IPv4 ACL mode filters packets based on the source IPv4 address.
IPv4 ACL mode filters packets based on the source or destination IPv4 address, as well as the protocol type and protocol port number. If the "TCP" protocol is specified, then you can also filter packets based on the TCP control code.
IPv6 ACL mode filters packets based on the source IPv6 address.
IPv6 ACL mode filters packets based on the source or destination IP address, as well as DSCP, and the next header type.
MAC ACL mode filters packets based on the source or destination MAC address and the Ethernet frame type (RFC 1060).
ARP ACL specifies static IP-to-MAC address bindings used for ARP inspection.
Use the Security > ACL (Configure ACL - Add Rule - IP Standard) page to configure a Standard IPv4 ACL.
Selects the type of ACLs to show in the Name list.
Shows the names of ACLs matching the selected type.
An ACL can contain any combination of permit or deny rules.
Specifies the source IP address. Use "Any" to include all possible addresses, "Host" to specify a specific host address in the Address field, or "IP" to specify a range of addresses with the Address and Subnet Mask fields. (Options: Any, Host, IP; Default: Any)
Source IP address.
A subnet mask containing four integers from 0 to 255, each separated by a period. The mask uses 1 bits to indicate "match" and 0 bits to indicate "ignore." The mask is bitwise ANDed with the specified source IP address, and compared with the address for each IP packet entering the port(s) to which this ACL has been assigned.
Name of a time range.
Use the Security > ACL (Configure ACL - Add Rule - IP Extended) page to configure an Extended IPv4 ACL.
Selects the type of ACLs to show in the Name list.
Shows the names of ACLs matching the selected type.
An ACL can contain any combination of permit or deny rules.
Specifies the source or destination IP address type. Use "Any" to include all possible addresses, "Host" to specify a specific host address in the Address field, or "IP" to specify a range of addresses with the Address and Subnet Mask fields. (Options: Any, Host, IP; Default: Any)
Source or destination IP address.
Subnet mask for source or destination address.
Source/destination port number for the specified protocol type. (Range: 0-65535)
Decimal number representing the port bits to match. (Range: 0-65535)
Specifies the protocol type to match as TCP, UDP or Others, where others indicates a specific protocol number (0-255). (Options: TCP, UDP, Others; Default: Others)
The following items are under TCP
Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63)
Decimal number representing the code bits to match. (Range: 0-63)
The control bit mask is a decimal number (for an equivalent binary bit mask) that is applied to the control code. Enter a decimal number, where the equivalent binary bit "1"; means to match a bit and "0" means to ignore a bit. The following bits may be specified:
1 (fin) - Finish
2 (syn) - Synchronize
4 (rst) - Reset
8 (psh) - Push
16 (ack) - Acknowledgement
32 (urg) - Urgent pointer
For example, use the code value and mask below to catch packets with the following flags set:
SYN flag valid, use control-code 2, control bit mask 2
Both SYN and ACK valid, use control-code 18, control bit mask 18
SYN valid and ACK invalid, use control-code 2, control bit mask 18
Packet priority settings based on the following criteria:
IP precedence level. (Range: 0-7)
DSCP priority level. (Range: 0-63)
Name of a time range.
Use the Security > ACL (Configure ACL - Add Rule - IPv6 Standard) page to configure a Standard IPv6ACL.
Selects the type of ACLs to show in the Name list.
Shows the names of ACLs matching the selected type.
An ACL can contain any combination of permit or deny rules.
Specifies the source IP address. Use "Any" to include all possible addresses, "Host" to specify a specific host address in the Address field, or "IPv6-Prefix" to specify a range of addresses. (Options: Any, Host, IPv6-Prefix; Default: Any)
An IPv6 source address or network class. The address must be formatted according to RFC 2373 "IPv6 Addressing Architecture," using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields.
A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). (Range: 0-128 bits)
Name of a time range.
Use the Security > ACL (Configure ACL - Add Rule - IPv6 Extended) page to configure an Extended IPv6 ACL.
Selects the type of ACLs to show in the Name list.
Shows the names of ACLs matching the selected type.
An ACL can contain any combination of permit or deny rules.
Specifies the source IP address type. Use “Any” to include all possible addresses, “Host” to specify a specific host address in the Address field, or “IPv6-Prefix” to specify a range of addresses. (Options: Any, Host, IPv6-Prefix; Default: Any)
Specifies the destination IP address type. Use “Any” to include all possible addresses, or “IPv6-Prefix” to specify a range of addresses. (Options: Any, IPv6-Prefix; Default: Any)
An IPv6 address or network class. The address must be formatted according to RFC 2373 "IPv6 Addressing Architecture," using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. (The switch only checks the first 64 bits of the destination address.)
A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address). (Range: 0-128 bits for the source prefix; 0-8 bits for the destination prefix)
DSCP traffic class. (Range: 0-63)
Protocol source port number. Includes TCP, UDP or other protocol types. (Range: 0-65535)
Decimal number representing the port bits to match. (Range: 0-65535)
Protocol destination port number. Includes TCP, UDP or other protocol types. (Range: 0-65535)
Decimal number representing the port bits to match. (Range: 0-65535)
Identifies the type of header immediately following the IPv6 header. (Range: 0-255)
Optional internet-layer information is encoded in separate headers that may be placed between the IPv6 header and the upper-layer header in a packet. There are a small number of such extension headers, each identified by a distinct Next Header value. IPv6 supports the values defined for the IPv4 Protocol field in RFC 1700, and includes these commonly used headers:
0 - Hop-by-Hop Options (RFC 2460)
6 - TCP Upper-layer Header (RFC 1700)
17 - UDP Upper-layer Header (RFC 1700)
43 - Routing (RFC 2460)
44 - Fragment (RFC 2460)
50 - Encapsulating Security Payload (RFC 2406)
51 - Authentication (RFC 2402)
60 - Destination Options (RFC 2460)
Name of a time range.
Use the Security > ACL (Configure ACL - Add Rule - MAC) page to configure a MAC ACL based on hardware addresses, packet format, and Ethernet type.
Selects the type of ACLs to show in the Name list.
Shows the names of ACLs matching the selected type.
An ACL can contain any combination of permit or deny rules.
Use "Any" to include all possible addresses, "Host" to indicate a specific MAC address, or "MAC" to specify an address range with the Address and Bit Mask fields. (Options: Any, Host, MAC; Default: Any)
Source or destination MAC address.
Hexadecimal mask for source or destination MAC address.
This attribute includes the following packet types:
Any - Any Ethernet packet type.
Untagged-eth2 - Untagged Ethernet II packets.
Untagged-802.3 - Untagged Ethernet 802.3 packets.
Tagged-eth2 - Tagged Ethernet II packets.
Tagged-802.3 - Tagged Ethernet 802.3 packets.
VLAN ID. (Range: 1-4094)
VLAN bit mask. (Range: 0-4095)
This option can only be used to filter Ethernet II formatted packets. (Range: 0-ffff hex.)
A detailed listing of Ethernet protocol types can be found in RFC 1060. A few of the more common types include 0800 (IP), 0806 (ARP), 8137 (IPX).
Protocol bit mask. (Range: 0-ffff hex.)
CoS value. (Range: 0-7, where 7 is the highest priority)
CoS bitmask. (Range: 0-7)
Name of a time range.
Use the Security > ACL (Configure ACL - Add Rule - ARP) page to configure ACLs based on ARP message addresses. ARP Inspection can then use these ACLs to filter suspicious traffic.
Selects the type of ACLs to show in the Name list.
Shows the names of ACLs matching the selected type.
An ACL can contain any combination of permit or deny rules.
Indicates an ARP request, ARP response, or either type. (Range: IP, Request, Response; Default: IP)
Specifies the source or destination IPv4 address. Use "Any" to include all possible addresses, "Host" to specify a specific host address in the Address field, or "IP" to specify a range of addresses with the Address and Mask fields. (Options: Any, Host, IP; Default: Any)
Source or destination IP address.
Subnet mask for source or destination address. (See the description for Subnet Mask.
Use "Any" to include all possible addresses, "Host" to indicate a specific MAC address, or "MAC" to specify an address range with the Address and Mask fields. (Options: Any, Host, MAC; Default: Any)
Source or destination MAC address.
Hexadecimal mask for source or destination MAC address.
Logs a packet when it matches the access control entry.
After configuring ACLs, use the Security > ACL (Configure Interface - Configure) page to bind the ports that need to filter traffic to the appropriate ACLs.
Selects the type of ACLs to bind to a port.
Fixed port or SFP module.
ACL used for ingress or egress packets.
Name of a time range.
Enables counter for ACL statistics.
Use the Security > ACL > Configure Interface (Show Hardware Counters) page to show statistics for ACL hardware counters.
Port identifier.
Selects the type of ACL.
Displays statistics for ingress or egress traffic.
The ACL bound this port.
Displays statistics for ingress or egress traffic.
Shows if action is to permit or deny specified packets.
Rules
Shows the rules for the ACL bound to this port.
Name of a time range.
Shows the number of packets matching this ACL.
Clears the hit counter for the specified ACL.