Access Control Entries
Feature |
Product |
Release introduced |
---|---|---|
QoS Access Control Entries (ACE) |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
|
5720 Series |
Fabric Engine 8.7 |
|
7520 Series |
Fabric Engine 8.10 |
|
7720 Series |
Fabric Engine 8.10 |
|
VSP 4900 Series |
VOSS 8.1 |
|
VSP 7400 Series |
VOSS 8.0 |
|
Security ACEs |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
|
5720 Series |
Fabric Engine 8.7 |
|
7520 Series |
Fabric Engine 8.10 |
|
7720 Series |
Fabric Engine 8.10 |
|
VSP 4900 Series |
VOSS 8.1 |
|
VSP 7400 Series |
VOSS 8.0 |
|
IPv4 ACL filter enhancement - Apply ACE with both Security and QoS actions |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
Fabric Engine 8.7 |
|
5520 Series |
Fabric Engine 8.7 |
|
5720 Series |
Fabric Engine 8.7 |
|
7520 Series |
Fabric Engine 8.10 |
|
7720 Series |
Fabric Engine 8.10 |
|
VSP 4900 Series |
Not Supported |
|
VSP 7400 Series |
VOSS 8.7 |
|
Filter enhancement - Apply ACE to Routed Packets only |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.4 |
|
5720 Series |
Fabric Engine 8.7 |
|
7520 Series |
Fabric Engine 8.10 |
|
7720 Series |
Fabric Engine 8.10 |
|
VSP 4900 Series |
VOSS 8.4 |
|
VSP 7400 Series |
VOSS 8.4 |
|
Policy Based Routing (redirect-next-hop) |
5320 Series |
Fabric Engine 8.6 |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
|
5720 Series |
Fabric Engine 8.7 |
|
7520 Series |
Fabric Engine 8.10 |
|
7720 Series |
Fabric Engine 8.10 |
|
VSP 4900 Series |
VOSS 8.1 |
|
VSP 7400 Series |
VOSS 8.0 |
|
Policy Based Routing (redirect-next-hop) with VRF support |
5320 Series |
Fabric Engine 8.6 Only 5320-48P-8XE and 5320-48T-8XE support more than one VRF with IP configuration. |
5420 Series |
VOSS 8.4 |
|
5520 Series |
VOSS 8.2.5 |
|
5720 Series |
Fabric Engine 8.7 |
|
7520 Series |
Fabric Engine 8.10 |
|
7720 Series |
Fabric Engine 8.10 |
|
VSP 4900 Series |
VOSS 8.1 |
|
VSP 7400 Series |
VOSS 8.0 |
The switch filter rules are defined using Access Control Entries (ACE). An ACE is an ordered set of filter rules contained in an Access Control List (ACL). ACE rules are divided into the following three components:
-
Operators
-
Attributes
-
Actions
An ACE generally operates on fields in a packet. If a packet field matches an ACE rule, the system executes the action specified. As each packet enters through an interface with an associated ACL, the system scans the ACE list configured on that ACL and matches on the packet fields. If multiple ACE rules are associated with the ACL, the lower ACE ID will have a higher precedence.
Operators
ACEs use operators to match on packet fields. The switch supports the following operators:
Equal-to
This rule operator looks for an exact match with the field defined. If the field matches exactly with the rule, the system will return a match (hit). If the rule does not match, the search continues and at the end of the search a miss is returned.
Mask
ACL-based filters provide the mask operator to match on Layer 2, Layer 3, and Layer 4 packet fields. The mask operator is used to mask bits in packet fields during a search or to match on a partial value of a packet field. This section provides examples of the mask operator.
If a mask bit is set to 1, it means it is not part of the match criteria (treated as do not care), and a mask bit of 0 means that the value represented is part of the match criteria. You can use the mask operator for the following attributes:
source MAC address
destination MAC address
VLAN ID
Dot1p
IPv4/IPv6 source address
IPv4/IPv6 destination address
destination IP address
DSCP
Layer 4 source port
Layer 4 destination port
TCP flags
Note
MAC Address cannot be configured as attributes for IPv6 filters.
-
If you use a decimal number for an IP address mask, it specifies the most significant bits of the provided IP address to match on. For example, a mask of 24 used with an IP address is the same as a mask of 0.0.0.255, and a mask of 8 used with an IP address is the same as a mask of 0.255.255.255.
-
If you use a decimal number for a MAC address mask, it specifies the least significant bits of the provided MAC address to ignore. For example, a mask of 32 used with a MAC address is the same as a mask of 0x0000ffffffff, and a mask of 16 used with a MAC address is the same as a mask of 0x00000000ffff.
Note
Unlike the standard convention, for ACL filter configuration, a mask bit value of '1' specifies a do-not-care bit, and value of '0' signifies must-match bit.
The following table explains the mask operator for MAC addresses.
Rule |
Result |
---|---|
filter acl ace ethernet 10 10 dst-mac mask 01:00:5e:00:00:01 0x000000FFFFFF |
The rule matches only on the most significant 24 bits as they are not masked, for example, 01:00:5e, and does not care about the least significant 24 bits because they are masked; the least significant 24 bits can have a value of 00:00:00 - FF:FF:FF. |
filter acl ace ethernet 10 10 dst-mac mask 0x01:00:5e:00:00:01 0xFFFFFFFF0000 |
The rule matches only on the least significant 16 bits because they are not masked, for example, 00:01, and does not care about the most significant 32 bits because they are masked; the most significant 32 bits can have a value of 00:00:00:00 – FF:FF:FF:FF. |
filter acl ace ethernet 10 10 dst-mac mask 0x01:00:5e:00:00:01 0xFF00FF0000FF |
The rule matches only on the unmasked bits, for example, 0xXX:00:XX:00:00:XX. The rule matches only on the bits not masked, for example, all the zeroes and the x represents a do not care (0xXX:00:XX:00:00:XX) |
The following table explains the mask operator for IP addresses.
Rule |
Result |
---|---|
filter acl ace ip 10 10 src-ip mask 2.10.10.12 0.255.255.255 |
The rule matches only the most significant 8 bits, and does not care about the value of the remaining 24 bits as they are considered masked. For example, 10.10.12. Packets with a source IP address of 2.15.16.122 or 2.3.4.5 match on the filter rule while packets with a source IP address of 3.10.10.12 and 4.10.10.12 do not match on the filter rule. |
filter acl ace ip 10 10 src-ip mask 3.4.5.6 255.255.255.0 |
The rule matches only the least significant 8 bits, for example, 6, and does not case about the most significant 24 bits, 3.4.5. Packets with a source IP address of 17.16.5.6 or 192.168.1.6 match on the filter rule while packets with a source IP address of 3.4.5.4 or 3.4.5.7 do not match on the filter rule. |
The following table explains the mask operator for Layer 4 source port.
Rule |
Result |
---|---|
filter acl ace protocol 10 10 src-port mask 80 0xF |
The filter rule matches on Layer 4 source port 80 (1010000). The mask value 0xF (1111) masks the least significant 4 bits, which means source port 81 (1010001) through 95 (1011111) also match this filter rule. This means the range 80–95 is a match on this rule. |
The following table demonstrates the resulting action based on mask configuration and example packets.
Filter configuration |
Address examples that match the filter |
Address examples that do not match the filter |
---|---|---|
Ethernet mask: filter acl 1000 type inport filter acl port 1000 1/5,1/11 filter acl ace 1000 12 filter acl ace ethernet 1000 12 src-mac mask 00:00:11:11:16:00 0x00ff000000f0 filter acl ace action 1000 12 permit count filter acl ace 1000 12 enable
|
Source MAC: 00:01:11:11:16:10 00:10:11:11:16:f0 00:1f:11:11:16:10 00:ff:11:11:16:f0 00:00:11:11:16:60 00:e6:11:11:16:e0 |
Source MAC: 00:00:11:11:16:01 00:ff:11:11:16:f1 |
filter acl ace 1000 1000 filter acl ace ethernet 1000 1000 dst-mac mask 00:00:00:64:16:00 0x00000060001f filter acl ace action 1000 1000 deny count filter acl ace 1000 1000 enable |
Destination MAC: 00:00:00:64:16:01 00:00:00:04:16:01 00:00:00:24:16:1f 00:00:00:64:16:1f 00:00:00:44:16:10 00:00:00:04:16:05 |
Destination MAC: 00:00:00:24:16:20 00:00:00:64:16:20 00:00:00:63:16:01 00:00:00:65:16:01 |
IP mask (dotted decimal notation): filter acl 10 type outport filter acl port 10 1/13 filter acl ace 10 11 filter acl ace ethernet 10 11 ether-type eq ip filter acl ace ip 10 11 src-ip mask 192.168.4.0 0.0.0.31 filter acl ace action 10 11 permit count filter acl ace 10 11 enable |
Source IP: 192.168.4.1 192.168.4.10 192.168.4.30 192.168.4.31 |
Source IP: 192.168.3.1 192.168.4.32 |
filter acl ace 10 12 filter acl ace ethernet 10 12 ether-type eq ip filter acl ace ip 10 12 dst-ip mask 192.168.7.0 0.0.0.3 filter acl ace action 10 12 deny count filter acl ace 10 12 enable |
Destination IP: 192.168.7.1 192.168.7.3 |
Destination IP: 192.168.7.4 192.168.7.5 |
IP mask (decimal notation): filter acl 10 type outport filter acl port 10 1/13 filter acl ace 10 11 filter acl ace ethernet 10 11 ether-type eq ip filter acl ace ip 10 11 src-ip mask 192.168.4.0 255.255.255.31 filter acl ace action 10 11 permit count filter acl ace 10 11 enable |
Source IP: 192.168.4.1 192.168.4.10 192.168.4.30 192.168.4.31 |
Source IP: 192.168.3.1 192.168.4.32 |
filter acl ace 10 12 filter acl ace ethernet 10 12 ether-type eq ip filter acl ace ip 10 12 dst-ip mask 192.168.7.0 255.255.255.3 filter acl ace action 10 12 deny count filter acl ace 10 12 enable |
Destination IP: 192.168.7.1 192.168.7.3 |
Destination IP: 192.168.7.4 192.168.7.5 |
Protocol mask: filter acl 901 type inport filter acl port 901 1/2 filter acl ace 901 1 filter acl ace ip 901 1 ip-protocol-type eq tcp filter acl ace protocol 901 1 src-port mask 256 0xff filter acl ace action 901 1 deny count filter acl ace 901 1 enable This mask implies packets with TCP source port 256–511 match the filter, while 0–255 and > 511 miss the filter. |
TCP source port 256 TCP source port 356 TCP source port 511 |
TCP source port 255 TCP source port 512 |
Attributes
Attributes are fields in a packet (Layer 2, Layer 3, Layer 4) or other information related to the packet on which an ACE rule is applied like slot/port. Attribute list provides a list of all the attributes and the operators that you can apply to them.
If you want to configure IPv6 attributes, you must configure an ACL to filter either IPv6 or non-IPv6 traffic. You can only configure IPv6 attributes for IPv6 packets. You cannot configure IPv6 attributes for non-IPv6 packets.
Attribute Name |
Operator |
---|---|
Slot/Port |
Equal |
Destination MAC (IPv4 filters only) |
Equal, Mask |
Source MAC (IPv4 filters only) |
Equal, Mask |
VLAN ID |
Equal, Mask |
.1p bits |
Equal, Mask |
Ether Type |
Equal |
ARP Opcode |
Equal |
Source IP |
Equal, Mask |
Destination IP |
Equal, Mask |
Protocol Type |
Equal |
Type of Service |
Equal, Mask |
IP Fragmentation |
Equal |
IP Options |
Equal |
Layer 4 Destination Port |
Equal, Mask |
Layer 4 Source Port |
Equal, Mask |
TCP Flags |
Equal, Mask |
ICMP Message Type |
Equal |
Source IPv6 (IPv6 only) |
Equal, Mask |
Destination IPv6 (IPv6 only) |
Equal, Mask |
Next header (IPv6 only) |
Equal |
Traffic class (IPv6 only) |
Equal |
Routed only |
Equal |
5320 Series Restrictions
Note the following restrictions to the attribute list:
-
48-port 5320 Series models support .1p bits for both IPv4 and IPv6 ACLs. 16-port and 24-port 5320 Series models support .1p bits for IPv4 ACLs only.
-
16-port and 24-port 5320 Series models are restricted to a maximum of 15 distinct values for each source/destination port. The following list identifies the reserved entries in the 15 number set:
-
67-68 [DHCP]
-
546-547 [DHCPv6]
-
53 [DNS]
-
23, 2323 [Telnet]
-
-
48-port 5320 Series models support TCP flags for both IPv4 and IPv6 ACLs. 16-port and 24-port 5320 Series models support TCP flags for IPv4 ACLs only.
-
48-port 5320 Series models support ICMP Message Type for both IPv4 and IPv6 ACLs. 16-port and 24-port 5320 Series models support ICMP Message Type for IPv4 ACLs only.
-
Only the 48-port 5320 Series models support the attributes identified as IPv6 only.
Actions
Actions occur when the filter rule is hit or missed. The types of actions that the filter configuration can execute are split into two categories:
-
security actions supported by the ACE IDs.
-
QoS actions supported by the ACE IDs.
Note
-
Ingress ACLs support security and QoS ACE actions. Egress ACLs do not support QoS ACEs.
-
For Fabric Engine switches, except for 5320 Series, the ACE ID range for Primary Bank is 1-1000 and for Secondary Bank, the ACE ID range is 1001-2000. The switch performs a parallel search on both ACE lists. If actions do not conflict, both actions apply. If actions conflict, the action from the range with higher priority applies.
The 5320 Series switches use a modified implementation for IPv4 ACL filters. In this implementation, there is no distinction between ACE IDs used for Security or QoS actions. You can configure Security and QoS actions in the ACE ID range 1-2000 and hence the switch does not perform a parallel search on the two ACE types.
If you apply multiple ACE rules, the lower ACE ID has a higher precedence.
Note
The ACE ID range for both security and QoS actions is different for different hardware platforms. For more information, see ACL Filters Behavior Differences.
The following tables show the supported switch actions:
Security ACE Actions |
User supplied parameters |
Comments |
---|---|---|
mode |
Permit or Deny |
Applies to both Ingress and Egress ACLs. |
redirect-next-hop |
IP address, Mode |
Redirects the packet to the user supplied IP address. If the switch cannot resolve ARP for the user-specified next-hop, packets that match the filter are dropped. Applies to ingress IPv4 ACLs only (routed and Layer 2). |
count |
None |
Collect ACE statistics. Applies to Ingress and Egress ACLs. |
monitor-dst-mlt |
mlt-id |
Applies to Ingress ACLs only. |
monitor-dst-ports |
Port |
Applies to Ingress ACLs only. |
monitor I-SID offset |
None |
The actual monitor I-SID value to which packets are mirrored. |
-
QoS ACE Actions |
User supplied parameters |
Comments |
---|---|---|
|
|
Applies to Ingress ACLs. Note:
remark-dot1p and internal-qos do not apply to IPv6 filtering. Each QoS action has its own user-supplied parameters. Note:
Some hardware platforms do not support remark-dot1p and supports remark-DSCP for Layer 3 routed packets only. |
count |
None |
Applies to Ingress and Egress ACLs. |
When you configure an IPv6 ACL with an ACE action of remark DSCP for a mirrored packet, the mirrored copy does not include the remark DSCP value. Because of port-mirroring functionality, the mirrored copy does not reflect the changes that occur in the switch to the outgoing packet. As a result, the mirrored copy is not identical to the outgoing packet. For more information, see Port Mirroring.
Internal QoS Level and Remarking
Setting the internal QoS level is an ingress action. Remarking is an egress action.
The internal-qos action assigns a new value to the packet internal-qos. It determines the packet egress queue, outgoing packet dot1p value and egress-DSCP value.
The remark-dot1p action assigns a new dot1p value to the outgoing packet.The remark-DSCP action assigns a new DSCP value to the outgoing packet.
If a packet is filtered by a rule set to internal-qos action only, then the packet internal qos, egress queue, egress dot1p and egress DSCP will be derived from the filter internal-qos value.
If a packet is filtered by a rule set to remark-dot1p only or remark-DSCP only or both remark actions, then the packet will be remarked with the new dot1p or DSCP, or both. However, these remarked values will not have any impact on the interal-qos packet. It will be based on the native packet coming into the switch.
If a packet is filtered by a rule set with all three qos actions, then the internal-qos will determine the egress queue, but the remark-dot1p determines the egress dot1p and the remark-DSCP determines the egress DSCP.
If you want to change the internal QoS for remarked incoming packets, you have to add the permit internal-qos command as shown in the following ACL filter example.
filter acl 10 type inPort name "ACL-CTI" filter acl port 10 1/2-1/50 filter acl ace 10 1302 name "CIFS-SCCM Source" filter acl ace action 10 1302 permit remark-dscp phbaf11 remark-dot1p 1 count filter acl ace action 10 1302 permit internal-qos 0 filter acl ace ethernet 10 1302 ether-type eq ip filter acl ace ip 10 1302 src-ip mask 0.0.0.0 255.255.255.255 filter acl ace ip 10 1302 ip-protocol-type eq tcp filter acl ace protocol 10 1302 src-port mask 0 0xffff
When a packet goes through the switch, the internal QoS level governs which queue the packet uses on egress. To verify which queue the packets are egressing on, use the show qos cosq-stats interface [value] command. For more information, see View Port Egress CoS Queue Statistics or View Port Egress CoS Queue Statistics.
Conflict and Precedence
The switch supports both port-based and VLAN-based ACLs. A port can be associated with both Port-based ACL and a VLAN-based ACL, as shown in Access Control Lists. Within an ACL, a rule match can generate security actions and QoS actions. The system goes through a set of precedence levels to resolve any conflicting actions between port-based ACL and VLAN-based ACL lookup.
The following table provides a list of search results and actions for all possible conflicts between port and VLAN-based ACLs and security and QoS ACE for each ACL.
Port-based ACL look up |
Actions performed on Port-based ACL |
If VLAN-based ACL is enabled |
Actions performed on VLAN-based ACL search |
||||
---|---|---|---|---|---|---|---|
Security |
QoS |
Security action |
QoS action |
Security |
QoS |
Security action |
QoS action |
Security ACE search is a Miss and ACL mode is Permit. |
QoS ACE search is a Miss |
Default security statistics collected |
Default QoS statistics collected |
Security ACE search is a Miss and mode is set to Permit |
QoS ACE search is a Miss |
Collect default Miss statistics |
Collect default Miss statistics |
Security ACE search is a Miss and mode is set to Permit |
QOS ACE search returns a Hit |
Collect default Miss statistics |
Execute configured ACE and default ACL actions |
||||
Security ACE search is a Miss and mode is set to Deny |
Search result is invalid, since security mode is set to Deny |
Drop packet and collect default Miss statistics |
No action is executed |
||||
Security ACE search is a Hit and mode is set to Permit |
QOS ACE search returns a Miss |
Execute configured ACE and default ACL actions |
Collect default Miss statistics |
||||
Security ACE search is a Hit and mode is set to Permit |
QoS ACE search is a Hit |
Execute configured ACE and default ACL actions |
Execute configured ACE and default ACL actions |
||||
Security ACE search is a Hit and mode is set to Deny |
QoS ACE search returns a Hit |
Discard the packet and execute configured ACE and global actions |
No action is executed |
||||
Security ACE is Miss and ACL mode is Deny |
Search result is invalid since security mode is set to Deny |
Discard the packet and collect default statistics |
No action is executed |
VLAN-based ACL is not configured |
VLAN-based ACL is not configured |
No action is executed |
No action is executed |
Security ACE search is a Miss and ACL mode is set to Permit |
QoS ACE search is a Hit |
Default search statistics collected |
Execute configured ACE and default ACL actions |
Security ACE search is a Miss and mode is set to Permit |
Port-based ACL's QoS action take precedence. QoS search result invalid. |
Collect default Miss statistics |
No action is executed |
Security ACE search is a Miss and mode is set to Deny |
Port-based ACL's QoS action take precedence. QoS search result invalid. |
Drop packet and collect default Miss statistics |
No action is executed |
||||
Security ACE search is a Hit and mode is set to Permit |
Port-based ACL's QoS action take precedence. QoS search result invalid. |
Execute configured ACE and default ACL actions |
No action is executed |
||||
Security ACE search is a Hit and mode is set to Deny |
Port-based ACL's QoS action take precedence. QoS search result invalid. |
Discard the packet and execute configured ACE and global Actions |
No action is executed |
||||
Security ACE search is a Hit and ACE mode is Permit |
QoS ACE search is a Miss |
Execute configured ACE and default ACL actions |
Collect default Miss statistics |
Port-based ACL‘s Security action take precedence. Security search result invalid |
QoS ACE search returns a Miss |
No action is executed |
Collect default Miss statistics |
Port-based ACL‘s Security action take precedence. Security search result invalid. |
QoS ACE search returns a Hit |
No action is executed |
Execute configured ACE and default ACL actions |
||||
Security ACE search is a Hit and ACE mode is Permit |
QoS ACE search is a Hit |
Execute configured ACE and default ACL actions |
Execute configured ACE and default ACL actions. |
Port-based ACL‘s Security action take precedence. Security search result invalid |
Port-based ACL‘s QoS action take precedence. QoS search result invalid. |
No action is executed |
No action is executed |
Security ACE search is a Hit and ACE mode is Deny |
Search result is invalid since Security mode is set to Deny |
Discard the packet and collect default statistics |
No action is executed |
Port-based ACL‘s Security action take precedence. Security search result invalid |
Port-based ACL‘s QoS action take precedence. QoS search result invalid. |
No action is executed |
No action is executed |
Common ACE uses and configuration
The following table describes configurations you can use to perform common actions.
Function |
ACE configuration |
---|---|
Permit a specific host to access the network |
filter acl ace 1 5 name "Permit_access_to_198.51.100.0" filter acl ace action 1 5 permit filter acl ace ethernet 1 5 ether-type eq ip filter acl ace ip 1 5 src-ip eq 198.51.100.0 filter acl ace 1 5 enable |
Deny a specific host from accessing the network |
filter acl ace 1 5 name "Deny_access_to_198.51.100.0" filter acl ace action 1 5 deny filter acl ace ethernet 1 5 ether-type eq ip filter acl ace ip 1 5 src-ip eq 198.51.100.0 filter acl ace 1 5 enable |
Permit a specific range of hosts to access the network |
filter acl ace 1 5 name "Permit_access_to_1.2.3.4-1.2.3.7" filter acl ace action 1 5 permit filter acl ace ethernet 1 5 ether-type eq ip filter acl ace ip 1 5 src-ip mask 1.2.3.4 0.0.0.3 filter acl ace 1 5 enable |
Deny Telnet traffic |
filter acl ace 1 5 name "Deny_telnet" filter acl ace action 1 5 deny filter acl ace ethernet 1 5 ethertype eq ip filter acl ace ip 1 5 ip-protocol-type eq tcp filter acl ace protocol 1 5 dst-port eq 23 filter acl ace 1 5 enable |
Deny FTP traffic |
filter acl ace 1 5 name "Deny_ftp" filter acl ace action 1 5 deny filter acl ace ethernet 1 5 ethertype eq ip filter acl ace ip 1 5 ip-protocoltype eq tcp filter acl ace protocol 1 5 dst-port eq 21 filter acl ace 1 5 enable |