Use the Access Control List Configuration page to configure rules for each existing ACL (Access Control List) on the system and to view summary information about the rules that have been added to an ACL. Each ACL rule is configured to match one or more aspects of traffic on the network. When a packet matches the conditions in a rule, it is handled according to the configured action (permit or deny) and attributes. Each ACL can have multiple rules, but the final rule for every ACL is an implicit deny all rule. For each rule, a packet must match all the specified criteria in order for the specified rule action (Permit/Deny) to take place.
To access this page, click
in the navigation menu.Use the buttons to perform the following tasks:
Field | Description | |
---|---|---|
ACL Identifier | The menu
contains the ID for each ACL that exists on the system. Before you add or
remove a rule, you must select the ID of the ACL from the menu. For ACLs with
alphanumeric names, click the Edit icon to change the ACL
ID. The ID of a Named IPv4 ACL must begin with a letter, and not a number. The ACL identifier for IPv4 Standard and IPv4 Extended ACLs cannot be changed. |
|
Sequence Number | The number that indicates the position of a rule within the ACL. If the sequence number is not specified during rule creation, the rule is automatically assigned a sequence number after it is successfully added to the ACL. The rules are displayed based on their position within the ACL, but can also be renumbered. Packets are checked against the rule criteria in order, from the lowest-numbered rule to the highest. When the packet matches the criteria in a rule, it is handled according to the rule action and attributes. If no rule matches a packet, the packet is discarded based on the implicit deny all rule, which is the final rule in every ACL. | |
ACL Type | The type of
ACL. The ACL type determines the criteria that can be used to match packets.
The type also determines which attributes can be applied to matching traffic.
IPv4 ACLs classify Layer 3 and Layer 4 IPv4 traffic, IPv6 ACLs classify Layer 3
and Layer 4 IPv6 traffic, and MAC ACLs classify Layer 2 traffic. The ACL types
are as follows:
|
|
Status | Whether the ACL is active. If the ACL is a time-based ACL that includes a time range, the ACL is active only during the periods specified within the time range. If an ACL does not include a time range, the status is always active. | |
Action | The action to
take when a packet or frame matches the criteria in the rule:
When configuring ACL rules in the Add Access Control List Rule window, the selected action determines which fields can be configured. Not all fields are available for both Permit and Deny actions. |
|
Match Conditions | The criteria used to determine whether a packet or frame matches the ACL rule. | |
Rule Attributes | Each action — beyond the basic Permit and Deny actions — to perform on the traffic that matches the rule. | |
Remarks | One or more remarks configured for the selected ACL and associated with the rule during rule creation. To delete a remark associated with the rule, click the – (minus) button preceding remark. You must confirm the action before the rule associated remark is removed. | |
ACL Remarks | Lists the
configured remarks for the selected ACL. All remarks present in this table are
applied to the next rule created with the Add Rule button. Use the buttons available in the ACL Remarks table to perform the following tasks:
|
|
After you click Add Rule, the Add Access Control List Rule window opens and allows you to add a rule to the ACL that was selected from the ACL Identifier field. The fields available in the window depend on the ACL type. The following information describes the fields in this window. The Match Criteria tables that apply to IPv4 ACLs, IPv6 ACLs, and MAC ACLs are described separately.
Field | Description | |
---|---|---|
Match Criteria (IPv4 ACLs) | The fields in this section specify the criteria to use to determine whether an IP packet matches the rule. The fields described below apply to IPv4 Standard, IPv4 Extended, and IPv4 Named ACLs unless otherwise noted. | |
Every | When this option is selected, all packets will match the rule and will be either permitted or denied. This option is exclusive to all other match criteria, so if Every is selected, no other match criteria can be configured. To configure specific match criteria, this option must be clear. | |
Protocol | (IPv4 Extended and IPv4 Named ACLs) The IANA-assigned protocol number to match within the IP packet. You can also specify one of the following keywords: EIGRP, GRE, ICMP, IGMP, , IP, IPINIP, OSPF, PIM, TCP, or UDP. | |
Fragments | (IPv4 Extended and IPv4 Named ACLs) IP ACL rule to match on fragmented IP packets. | |
Source IP Address / Wildcard Mask | The source port IP address in the packet and source IP wildcard mask (in the second field) to compare to the IP address in a packet header. Wild card masks determines which bits in the IP address are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all of the bits are important. Wildcard masking for ACLs operates differently from a subnet mask. A wildcard mask is in essence the inverse of a subnet mask. With a subnet mask, the mask has ones (1's) in the bit positions that are used for the network address, and has zeros for the bit positions that are not used. In contrast, a wildcard mask has zeros in a bit position that must be checked. A '1' in a bit position of the ACL mask indicates the corresponding bit can be ignored. This field is required when you configure a source IP address. | |
Source L4 Port | (IPv4 Extended and IPv4 Named ACLs) The TCP/UDP source
port to match in the packet header. The Source L4 Port and Destination L4 port
are configurable only if protocol is either TCP or UDP. Equal to, Not Equal to,
Greater than, and Less than options are available.
|
|
Destination IP Address / Wildcard Mask | The destination port IP address in the packet and destination IP wildcard mask (in the second field) to compare to the IP address in a packet header. Wild card masks determines which bits in the IP address are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all of the bits are important. Wildcard masking for ACLs operates differently from a subnet mask. A wildcard mask is in essence the inverse of a subnet mask. With a subnet mask, the mask has ones (1's) in the bit positions that are used for the network address, and has zeros for the bit positions that are not used. In contrast, a wildcard mask has zeros in a bit position that must be checked. A 1 in a bit position of the ACL mask indicates the corresponding bit can be ignored. This field is required when you configure a destination IP address. | |
Destination L4 Port | (IPv4 Extended and IPv4 Named ACLs) The TCP/UDP
destination port to match in the packet header. The Source L4 Port and
Destination L4 port are configurable only if protocol is either TCP or UDP.
Equal to, Not Equal to, Greater than, and Less than options are available.
|
|
TTL Field Value | (IPv4 Extended and IPv4 Named ACLs) IP ACL rule to match on the specified Time-to-Live (TTL) field value. | |
IGMP Type | (IPv4 Extended and IPv4 Named ACLs) IP ACL rule to match on the specified IGMP message type. This option is available only if the protocol is IGMP. | |
ICMP Type | (IPv4 Extended and IPv4 Named ACLs) IP ACL rule to match on the specified ICMP message type. This option is available only if the protocol is ICMP. | |
ICMP Code | (IPv4 Extended and IPv4 Named ACLs) IP ACL rule to match on the specified ICMP message code. This option is available only if the protocol is ICMP. | |
ICMP Message | (IPv4 Extended and IPv4 Named ACLs) IP ACL rule to match on the ICMP message type and code. Specify one of the following supported ICMP messages: Echo, Echo-Reply, Host-Redirect, Mobile-Redirect, Net-Redirect, Net-Unreachable, Redirect, Packet-Too-Big, Port-Unreachable, Source-Quench, Router-Solicitation, Router-Advertisement, Time-Exceeded, TTL-Exceeded, and Unreachable. This option is available only if the protocol is ICMP. | |
TCP Flags | (IPv4 Extended and IPv4 Named ACLs) IP ACL rule to match on the TCP flags. When a + flag is specified, a match occurs if the flag is set in the TCP header. When a - flag is specified, a match occurs if the flag is not set in the TCP header. When Established is specified, a match occurs if either RST or ACK bits are set in the TCP header. This option is available only if the protocol is TCP. | |
Service Type | (IPv4 Extended and IPv4 Named ACLs) The service type to
match in the IP header. The options in this menu are alternative ways of
specifying a match condition for the same Service Type field in the IP header,
but each service type uses a different user notation. After you select the
service type, specify the value for the service type in the appropriate field.
Only the field associated with the selected service type can be configured. The
services types are as follows:
|
|
Time Range Name | The name of the time range that will impose a time limitation on the ACL rule. If a time range with the specified name does not exist, and the ACL containing this ACL rule is associated with an interface, the ACL rule is applied immediately. If a time range with specified name exists, and the ACL containing this ACL rule is associated with an interface, the ACL rule is applied when the time-range with specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive. | |
Committed Rate / Burst Size | The allowed transmission rate for packets on the interface (Committed Rate), and the number of bytes allowed in a temporary traffic burst (Burst Rate). | |
Match Criteria (IPv6 ACLs) | The fields in this section specify the criteria to use to determine whether an IP packet matches the rule. The fields described below apply to IPv6 ACLs. | |
Every | When this option is selected, all packets will match the rule and will be either permitted or denied. This option is exclusive to all other match criteria, so if Every is selected, no other match criteria can be configured. To configure specific match criteria, this option must be clear. | |
Protocol | The IANA-assigned protocol number to match within the IP packet. You can also specify one of the following keywords: ICMP, IGMP, TCP, UDP, ICMPv6, or IP. | |
Fragments | IPv6 ACL rule to match on fragmented IP packets. | |
Source Prefix/Prefix Length | The IPv6 prefix combined with IPv6 prefix length of the network or host from which the packet is being sent. | |
Source L4 Port | The TCP/UDP source port to match in the packet header. Select one of the following options: Equal, Not Equal, Less Than, Greater Than, or Range and specify the port number or keyword. TCP port keywords include BGP, Domain, Echo, FTP, FTP Data, HTTP, SMTP, Telnet, WWW, POP2, and POP3. UDP port keywords include Domain, Echo, NTP, RIP, SNMP, TFTP, TIME, and WHO. | |
Destination Prefix/Prefix Length | The IPv6 prefix combined with the IPv6 prefix length to be compared to a packet's destination IPv6 address as a match criteria for the IPv6 ACL rule. To indicate a destination host, specify an IPv6 prefix length of 128. | |
Destination L4 Port | The TCP/UDP destination port to match in the packet
header. Select one of the following options: Equal, Not Equal, Less Than,
Greater Than, or Range and specify the port number or keyword. TCP port keywords include BGP, Domain, Echo, FTP, FTP Data, HTTP, SMTP, Telnet, WWW, POP2, and POP3. UDP port keywords include Domain, Echo, NTP, RIP, SNMP, TFTP, TIME, and WHO. |
|
ICMP Type | IPv6 ACL rule to match on the specified ICMP message type. This option is available only if the protocol is ICMPv6. | |
ICMP Code | IPv6 ACL rule to match on the specified ICMP message code. This option is available only if the protocol is ICMPv6. | |
ICMP Message | IPv6 ACL rule to match on the ICMP message type and code. Specify one of the following supported ICMPv6 messages: Destination-Unreachable, Echo-Request, Echo-Reply, Header, Hop-Limit, MLD-Query, MLD-Reduction, MLD-Report, ND-NA, ND-NS, Next-Header, No-Admin, No-Route, Packet-Too-Big, Port-Unreachable, Router-Solicitation, Router-Advertisement, Router-Renumbering, Time-Exceeded, and Unreachable. This option is available only if the protocol is ICMPv6. | |
TCP Flags | IPv6 ACL rule to match on the TCP flags. When a + flag is specified, a match occurs if the flag is set in the TCP header. When a - flag is specified, a match occurs if the flag is not set in the TCP header. When Established is specified, a match occurs if either RST or ACK bits are set in the TCP header. This option is available only if the protocol is TCP. | |
Flow Label | A 20-bit number that is unique to an IPv6 packet, used by end stations to signify quality-of-service handling in routers. | |
IP DSCP | The IP DSCP value in the IPv6 packet to match to the rule. The DSCP value is defined as the high-order six bits of the Service Type octet in the IPv6 header. | |
Routing | IPv6 ACL rule to match on routed packets. | |
Match Criteria (MAC ACLs) | The fields in this section specify the criteria to use to determine whether an Ethernet frame matches the rule. The fields described below apply to MAC ACLs. | |
Every | When this option is selected, all packets will match the rule and will be either permitted or denied. This option is exclusive to all other match criteria, so if Every is selected, no other match criteria can be configured. To configure specific match criteria, this option must be clear. | |
CoS | The 802.1p user priority value to match within the Ethernet frame. | |
Secondary CoS | The secondary 802.1p user priority value to match within the Ethernet frame. | |
Ethertype | The EtherType value to match in an Ethernet frame. Specify the number associated with the EtherType or specify one of the following keywords: AppleTalk, ARP, IBM SNA, IPv4, IPv6, IPX, MPLS, Unicast, NETBIOS, NOVELL, PPPoE, or RARP. | |
Source MAC Address / Mask | The MAC address to match to an Ethernet frame's source
port MAC address. If desired, enter the MAC mask associated with the source MAC
to match. The MAC address mask specifies which bits in the source MAC to
compare against an Ethernet frame. Use Fs and zeros in the MAC mask, which is in a wildcard format. An F means that the bit is not checked, and a zero in a bit position means that the data must equal the value given for that bit. For example, if the MAC address is aa_bb_cc_dd_ee_ff, and the mask is 00_00_ff_ff_ff_ff, all MAC addresses with aa_bb_xx_xx_xx_xx result in a match (where x is any hexadecimal number). |
|
Destination MAC Address / Mask | The MAC address to match to an Ethernet frame's destination port MAC address. If desired, enter the MAC Mask associated with the destination MAC to match. The MAC address mask specifies which bits in the destination MAC to compare against an Ethernet frame. Use F's and zeros in the MAC mask, which is in a wildcard format. An F means that the bit is not checked, and a zero in a bit position means that the data must equal the value given for that bit. For example, if the MAC address is aa_bb_cc_dd_ee_ff, and the mask is 00_00_ff_ff_ff_ff, all MAC addresses with aa_bb_xx_xx_xx_xx result in a match (where x is any hexadecimal number). | |
VLAN | The VLAN ID to match within the Ethernet frame. | |
Secondary VLAN | The secondary VLAN ID to match within the Ethernet frame. | |
Rule Attributes | The fields in this section provide information about the actions to take on a frame or packet that matches the rule criteria. The attributes specify actions other than the basic Permit or Deny actions. | |
Assign Queue | The number that identifies the hardware egress queue that will handle all packets matching this rule. | |
Interface | The interface to use for the action:
|
|
Log | When this option is selected, logging is enabled for this ACL rule (subject to resource availability in the device). If the Access List Trap Flag is also enabled, this will cause periodic traps to be generated indicating the number of times this rule went into effect during the current report interval. A fixed 5 minute report interval is used for the entire system. A trap is not issued if the ACL rule hit count is zero for the current interval. | |
Time Range Name | The name of the time range that will impose a time limitation on the ACL rule. If a time range with the specified name does not exist, and the ACL containing this ACL rule is associated with an interface, the ACL rule is applied immediately. If a time range with specified name exists, and the ACL containing this ACL rule is associated with an interface, the ACL rule is applied when the time-range with specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive. | |
Committed Rate / Burst Size | The allowed transmission rate for frames on the interface (Committed Rate), and the number of bytes allowed in a temporary traffic burst (Burst Rate). | |
After you click the Resequence Rules button, the Resequence ACL Rules window opens and allows you to resequence rules of the ACL selected from the ACL Identifier field. The following information describes the fields in this window. | ||
Sequence Start | The starting sequence number for resequencing the existing rules. | |
Sequence Step | The increment of sequence numbers for resequencing the existing rules. |
Click Refresh to update the information on the screen.
After you click the + (plus) button next to ACL Remarks, the Add ACL Remark window opens and allows you to add a remark.