Configure an Access Control List

About this task

Use an access control list (ACL) to specify an ordered list of access control entries (ACE), or filter rules. The ACEs provide specific actions for the filter to perform.

Do not configure IPv4 egress ACL filters on network-to-network interface (NNI) ports because the system-generated egress vIST filter rules and the user-created IPv4 egress rules use the same filter hardware.

You cannot change a parameter that the system displays it dimmed; in this case, delete the ACL, and then configure a new one.

Procedure

  1. In the navigation pane, expand Configuration > Security > Data Path.
  2. Select Advanced Filters (ACE/ACLs).
  3. Select the ACL tab.
  4. Select Insert.
  5. In AclId, type an ACL ID, or accept the default value .
  6. In Type, specify the type of ACL.
  7. In Name, specify a name for the ACL.
  8. Perform one of the following if the ACL is VLAN-based or port-based:
    1. If the ACL is VLAN-based, select the VlanList ellipsis, and then choose a VLAN list.
    2. If the ACL is port-based, select the PortList ellipsis, and then choose a port list.
  9. Select the desired ports, and then select Ok.
  10. Configure the DefaultAction.
  11. Configure the ControlPktAction.
    Note

    Note

    There is no control packet action support for the InVSN Filter. Control packets go to the CPU after termination.

  12. Enable or disable the State, as required.
  13. In PktType, select the packet type to create either IPv4 or IPv6 ACLs.
  14. If the ACL type is inVsn, do the following:
    1. In MatchType, select the match type to associate with the ACL that the traffic is ingressing on.
    2. In Isid, type the I-SID associated with the customer VLAN (Layer 2 VSN) or the customer VRF (Layer 3 VSN) or enter 0 for IP shortcut.
  15. Configure the remaining fields, as appropriate.
  16. Select Insert.
  17. Optional: To delete an ACL, select the ACL, and then select Delete.

ACL Field Descriptions

Use the data in the following table to use the ACL tab.

Name

Description

AclId

Specifies a unique identifier for the ACL.

Type

Specifies the ACL type. Valid options are

  • inVlan

  • inPort

  • outPort

  • inVsn

Important:

The inVlan ACLs drop packets if you add a VLAN after ACE creation.

Important:

You can insert an inVsn ACL type for a Switched UNI only if the Switched UNI I-SID is associated with a platform VLAN.

Name

Specifies a descriptive user-defined name for the ACL.

VlanList

For inVlan ACL types, specifies all VLANs to associate with the ACL.

PortList

For inPort and outPort ACL types, specifies the ports to associate with the ACL.

DefaultAction

Specifies the action taken when no ACEs in the ACL match. Valid options are deny and permit, with permit as the default. Deny means the system drops the packets; permit means the system forwards packets.

ControlPktAction

Specifies the action taken for control packets. Valid options are deny and permit.

State

Enables or disables all of the ACEs in the ACL. The default value is enable.

PktType

Indicates the packet type to which this ACL applies.

MirrorMltId

Configures mirroring to a destination MLT.

MirrorDstPortList

Configures mirroring to a destination port or ports.

MatchType
For inVsn ACL types, specifies the match type to associate with the ACL. Valid options are:

  • both for traffic ingressing on both UNI ports and network-to-network interface (NNI) ports terminating on this node

  • terminatingNNIOnly for traffic ingressing on NNI ports only and terminating on this node

  • uniOnly for traffic ingressing on UNI ports only

The default value is both

Isid

For inVsn ACL types, specifies the I-SID associated with the customer VLAN (Layer 2 VSN) or the customer VRF (Layer 3 VSN). This I-SID should already be configured on the fabric node.

The InVSN Filter supports IP Shortcut traffic if the inVsn ACL match type is both. In this case, the I-SID is zero (0).

Important:

You can specify a Switched UNI I-SID if the I-SID is associated with a platform VLAN.

Origin

 Indicates the origin of the ACL:
  • config - ACL created by the user.
  • eap - ACL created by Extensible Authentication Protocol (EAP) through Remote Authentication Dial-In User Service (RADIUS) response.

DefaultSvcRate

Specifies the service rate limit in kbps {8-4000000000}.The granularity is 8 kbps.

DefaultPeakRate

Specifies the value when exceeded causes packets to drop on ingress. Peak rate limit in kbps {8-4000000000}.The granularity is 8 kbps.
9037809-01 Rev AA