Access Control

The Access Control List (ACL) feature is part of the security mechanism. ACL definitions serve as one of the mechanisms to define traffic flows that are given a specific Quality of Service (QoS). For more information see Quality of Service. ACLs enable network managers to define patterns (filter and actions) for ingress traffic. Packets, entering the device on a port or LAG with an active ACL, are either admitted or denied entry. This chapter contains the following sections:

MAC-Based ACL

MAC-based ACLs are used to filter traffic based on Layer 2 fields. MAC-based ACLs check all frames for a match. To define a MAC-based ACL follow these steps:

Procedure

Step 1

Click Access Control > MAC-Based ACL.

This page contains a list of all currently defined MAC-based ACLs.
Step 2

Click Add.

Step 3

Enter the name of the new ACL in the ACL Name field. ACL names are case-sensitive.
Step 4

Click Apply. The MAC-based ACL is saved to the Running Configuration file.

MAC-based ACE


Note

Each MAC-based rule consumes one TCAM rule. The TCAM allocation is performed in couples, such that, for the first ACE, 2 TCAM rules are allocated and the second TCAM rule is allocated to the next ACE, and so forth.

To add rules (ACEs) to an ACL, complete the following steps:

Procedure

Step 1

Click Access Control > Mac-Based ACE.

Step 2

Select an ACL, and click Go. The ACEs in the ACL are listed.

Step 3

Click Add.

Step 4

Enter the parameters.

  • ACL Name—Displays the name of the ACL to which an ACE is being added.

  • Priority—Enter the priority of the ACE. ACEs with higher priority are processed first. One is the highest priority.

  • Action—Select the action taken upon a match. The options are:

    • Permit—Forward packets that meet the ACE criteria.

    • Deny—Drop packets that meet the ACE criteria.

    • Shutdown—Drop packets that meet the ACE criteria, and disable the port from where the packets received.

  • Destination MAC Address—Select Any if all destination addresses are acceptable or User defined to enter a destination address or a range of destination addresses.

  • Destination MAC Address Value—Enter the MAC address to which the destination MAC address is to be matched and its mask (if relevant).

  • Destination MAC Wildcard Mask—Enter the mask to define a range of MAC addresses. This mask is different than in other uses, such as subnet mask. Here, setting a bit as 1 indicates don't care and 0 indicates to mask that value.

    Note 

    Given a mask of 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 1111 1111 (which means that you match on the bits where there’s 0 and don't match on the bits where there are 1's). You need to translate the 1's to a hexadecimal value and you write 0 for every four zeros. In this example since 1111 1111 = FF, the mask would be written: as 00:00:00:00:00:FF.

  • Source MAC Address—Select Any if all source addresses are acceptable or User defined to enter a source address or range of source addresses.

  • Source MAC Address Value—Enter the MAC address to which the source MAC address is to be matched and its mask (if relevant).

  • Source MAC Wildcard Mask—Enter the mask to define a range of MAC addresses.

  • VLAN ID—Enter the VLAN ID section of the VLAN tag to match.

  • 802.1p—Select Include to use 802.1p.

  • 802.1p Value—Enter the 802.1p value to be added to the VPT tag.

  • 802.1p Mask—Enter the wildcard mask to be applied to the VPT tag.

  • Ether type—Enter the frame Ether type to be matched.
Step 5

Click Apply. The MAC-based ACE is saved to the Running Configuration file.

IPv4-based ACL

ACLs are also used as the building elements of flow definitions for per-flow QoS handling. IPv4-based ACLs are used to check IPv4 packets. To define an IPv4-based ACL, follow these steps:

Procedure

Step 1

Click Access Control > IPv4-Based ACL.

This page contains all currently defined IPv4-based ACLs.
Step 2

Click Add.

Step 3

Enter the name of the new ACL in the ACL Name field. The names are case-sensitive.
Step 4

Click Apply. The IPv4-based ACL is saved to the Running Configuration file.

IPv4-Based ACE

To add rules (ACEs) to an IPv4-based ACL, follow these steps:

Procedure

Step 1

Click Access Control > IPv4-Based ACE.

Step 2

Select an ACL, and click Go. All currently-defined IP ACEs for the selected ACL are displayed.

Step 3

Click Add.

Step 4

Enter the parameters.

ACL Name

Displays the name of the ACL to which an ACE is being added.

Priority

Enter the priority. ACEs with higher priority are processed first.

Action

Select the action assigned to the packet matching the ACE from the following options:

  • Permit—Forward packets that meet the ACE criteria.

  • Deny—Drop packets that meet the ACE criteria.

  • Shutdown—Drop packets that meet the ACE criteria, and disable the port to which the packets addressed.

Protocol

Select to create an ACE based on a specific protocol or protocol ID. Select Any (IPv4) to accept all IP protocols. Otherwise select one of the following protocols:

  • ICMP—Internet Control Message Protocol

  • IP in IP—IP in IP encapsulation

  • TCP—Transmission Control Protocol

  • EGP—Exterior Gateway Protocol

  • IGP—Interior Gateway Protocol

  • UDP—User Datagram Protocol

  • HMP—Host-Mapping Protocol

  • RDP—Reliable Datagram Protocol.

  • IPV6—IPv6 over IPv4 tunneling

  • IPV6:ROUT—Matches packets belonging to the IPv6 over IPv4 route through a gateway

  • IPV6:FRAG—Matches packets belonging to the IPv6 over IPv4 Fragment Header

  • RSVP—ReSerVation Protocol

  • IPV6:ICMP—Internet Control Message Protocol

  • OSPF—Open Shortest Path First

  • PIM—Protocol Independent Multicast

  • L2TP—Layer 2 Tunneling Protocol

  • Protocol ID to Match—Instead of selecting the name, enter the protocol ID.

Source IP Address

Select Any if all source addresses are acceptable or User defined to enter a source address or range of source addresses.

Source IP Address Value

Enter the IP address to which the source IP address is to be matched and its mask (if relevant).

Source IP Wildcard Mask

Enter the mask to define a range of IP addresses. This mask is different than in other uses, such as subnet mask. Here, setting a bit as 1 indicates don't care and 0 indicates to mask that value.

Destination IP Address

Select Any if all destination addresses are acceptable or User defined to enter a destination address or a range of destination addresses.

Destination IP Address Value

Enter the IP address to which the destination MAC address is matched and its mask (if relevant).

Destination IP Wildcard Mask

Enter the destination IP wildcard mask.

Source Port

Select one of the following

  • Any—Match to all source ports.

  • Single from list—Select a single TCP/UDP source port to which packets are matched. This field is active only if 800/6-TCP or 800/17-UDP is selected in the IP Protocol drop-down menu.

  • Single by number—Enter a single TCP/UDP source port to which packets are matched. This field is active only if 800/6-TCP or 800/17-UDP is selected in the IP Protocol drop-down menu.

  • Range—Enter a range from 0 - 65535.

Destination Port

Select one of the available values. They are the same as for the Source Port field described above.

Note 

You must specify the IPv6 protocol for the ACL before you can configure the source and/or destination port.

TCP Flags

Select one or more TCP flags with which to filter packets. Filtered packets are either forwarded or dropped. Filtering packets by TCP flags increases packet control, which increases network security. For each type of flag, select one of the following options:

  • Set—Match if the flag is SET.

  • Unset—Match if the flag is Not SET.

  • Don’t care—Ignore the TCP flag.

Type of Service

The service type of the IP packet.

  • Any—Any service type

  • DSCP to match—Differentiated Serves Code Point (DSCP) to match.

  • IP Precedence to match—IP precedence is a model of TOS (type of service) that the network uses to help provide the appropriate QoS commitments. This model uses the 3 most significant bits of the service type byte in the IP header, as described in RFC 791 and RFC 1349.

ICMP

If the ACL is based on ICMP, select the ICMP message type that is used for filtering purposes. Either select the message type by name or enter the message type number. If all message types are accepted, select Any.

  • Any—All message types are accepted.

  • Select from list—Select message type by name from the drop-down list.

  • ICMP Type to Match—Number of message types that is to be used for filtering purposes.

ICMP Code

The ICMP messages may have a code field that indicates how to handle the message. Select one of the following options, to configure whether to filter on this code:

  • Any—Accept all codes.

  • User Defined—Enter an ICMP code for filtering purposes.
Step 5

Click Apply. The IPv4-based ACE is saved to the Running Configuration file.

IPv6-Based ACL

The IPv6 based ACL check the IPv6-based traffic. ACLs are also used as the building elements of flow definitions for per-flow QoS handling. To define an IPv6-based ACL, follow these steps:

Procedure

Step 1

Click Access Control > IPv6-Based ACL.

This window contains the list of defined ACLs and their contents.
Step 2

Click Add.

Step 3

Enter the name of a new ACL in the ACL Name field. The names are case-sensitive.
Step 4

Click Apply. The IPv6-based ACL is saved to the Running Configuration file.

IPv6-Based ACE


Note

Each IPv6-based rule consumes two TCAM rules.

To define an IPv6-based ACL, follow these steps:

Procedure

Step 1

Click Access Control > IPv6-Based ACE.

This window contains the ACE (rules) for a specified ACL (group of rules).
Step 2

Select an ACL, and click Go. All currently-defined IP ACEs for the selected ACL are displayed.

Step 3

Click Add.

Step 4

Enter the parameters.

ACL Name

Displays the name of the ACL to which an ACE is being added.

Priority

Enter the priority. ACEs with higher priority are processed first.

Action

Select the action assigned to the packet matching the ACE from the following options:

  • Permit—Forward packets that meet the ACE criteria.

  • Deny—Drop packets that meet the ACE criteria.

  • Shutdown—Drop packets that meet the ACE criteria, and disable the port to which the packets addressed.

Protocol

Select to create an ACE based on a specific protocol from the following options:

  • TCP—Transmission Control Protocol Enables two hosts to communicate and exchange data streams TCP guarantees packet delivery, and guarantees that packets are transmitted and received in the order they sent.

  • UDP—User Datagram Protocol Transmits packets but doesn’t guarantee their delivery.

  • ICMPv6—Matches packets to the Internet Control Message Protocol (ICMP).

    Or

  • Protocol ID to Match—Enter the ID of the protocol to be matched.

Source IP Address

Select Any if all source addresses are acceptable or User defined to enter a source address or range of source addresses.

Source IP Address Value

Enter the IP address to which the source IP address is to be matched and its mask (if relevant).

Source IP Prefix Length

Enter the prefix length of the source IP address.

Destination IP Address

Select Any if all destination addresses are acceptable or User defined to enter a destination address or a range of destination addresses.

Destination IP Address Value

Enter the IP address to which the destination MAC address is matched and its mask (if relevant).

Destination IP Prefix Length

Enter the prefix length of the IP address.

Source Port

Select one of the following

  • Any—Match to all source ports.

  • Single from list—Select a single TCP/UDP source port to which packets are matched. This field is active only if 800/6-TCP or 800/17-UDP is selected in the IP Protocol drop-down menu.

  • By number—Enter a single TCP/UDP source port to which packets are matched. This field is active only if 800/6-TCP or 800/17-UDP is selected in the IP Protocol drop-down menu.

Destination Port

Select one of the available values. They are the same as for the Source Port field described above.

Note 

You must specify the IPv6 protocol for the ACL before you can configure the source and/or destination port.

TCP Flags

Select one or more TCP flags with which to filter packets. Filtered packets are either forwarded or dropped. Filtering packets by TCP flags increases packet control, which increases network security. For each type of flag, select one of the following options:

  • Set—Match if the flag is SET.

  • Unset—Match if the flag is Not SET.

  • Don’t care—Ignore the TCP flag.

Type of Service

The service type of the IP packet.

  • Any—Any service type

  • DSCP to match—Differentiated Serves Code Point (DSCP) to match.

  • IP Precedence to match—IP precedence is a model of TOS (type of service) that the network uses to help provide the appropriate QoS commitments. This model uses the 3 most significant bits of the service type byte in the IP header, as described in RFC 791 and RFC 1349.

ICMP

If the ACL is based on ICMP, select the ICMP message type that is used for filtering purposes. Either select the message type by name or enter the message type number. If all message types are accepted, select Any.

  • Any—All message types are accepted.

  • Select from list—Select message type by name from the drop-down list.

  • ICMP Type to Match—Number of message types that is to be used for filtering purposes.

ICMP Code

The ICMP messages may have a code field that indicates how to handle the message. Select one of the following options, to configure whether to filter on this code:

  • Any—Accept all codes.

  • User Defined—Enter an ICMP code for filtering purposes.
Step 5

Click Apply.

ACL Binding

Access Control List (ACL) is a list of permissions applied on a port that filters the stream of packets transmitted to the port. A port can be bound with either a policy or an ACL, but not both. To bind an ACL to a port or LAG, follow these steps:

Procedure

Step 1

Click Access Control > ACL Binding.

Step 2

Select an interface type Ports/LAGs (Port or LAG).
Step 3

Click Go. For each type of interface selected, all interfaces of that type are displayed with a list of their current ACLs:

Interface

Identifier of interface on which ACL is defined.

MAC ACL

ACLs of type MAC that are bound to the interface (if any).

IPv4 ACL

ACLs of type IPv4 that are bound to the interface (if any).

IPv6 ACL

ACLs of type IPv6 that are bound to the interface (if any).
Step 4

To unbind all ACLs from an interface, select the interface, and click Clear.

Step 5

Select an interface, and click Edit.

Step 6

Enter the following for both the Input ACL and Output ACL:

MAC-Based ACL

Select a MAC-based ACL to be bound to the interface.

IPv4-Based ACL

Select an IPv4-based ACL to be bound to the interface.

IPv6-Based ACL

Select an IPv6-based ACL to be bound to the interface.
Step 7

Click Apply. The ACL binding is modified, and the Running Configuration file is updated.


Note

If no ACL is selected, the ACL(s) that is previously bound to the interface are unbound.