Access Control Entries

Table 1. Access Control Entry product support

Feature

Product

Release introduced

QoS Access Control Entries (ACE)

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

7520 Series

Fabric Engine 8.10

7720 Series

Fabric Engine 8.10

VSP 4900 Series

VOSS 8.1

VSP 7400 Series

VOSS 8.0

Security ACEs

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

7520 Series

Fabric Engine 8.10

7720 Series

Fabric Engine 8.10

VSP 4900 Series

VOSS 8.1

VSP 7400 Series

VOSS 8.0

IPv4 ACL filter enhancement - Apply ACE with both Security and QoS actions

5320 Series

Fabric Engine 8.6

5420 Series

Fabric Engine 8.7

5520 Series

Fabric Engine 8.7

7520 Series

Fabric Engine 8.10

7720 Series

Fabric Engine 8.10

5720 Series

Fabric Engine 8.7

VSP 4900 Series

Not Supported

VSP 7400 Series

VOSS 8.7

Filter enhancement - Apply ACE to Routed Packets only

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.4

5720 Series

Fabric Engine 8.7

7520 Series

Fabric Engine 8.10

7720 Series

Fabric Engine 8.10

VSP 4900 Series

VOSS 8.4

VSP 7400 Series

VOSS 8.4

Policy Based Routing (redirect-next-hop)

5320 Series

Fabric Engine 8.6

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

7520 Series

Fabric Engine 8.10

7720 Series

Fabric Engine 8.10

VSP 4900 Series

VOSS 8.1

VSP 7400 Series

VOSS 8.0

Policy Based Routing (redirect-next-hop) with VRF support

5320 Series

Fabric Engine 8.6

Only 5320-48P-8XE and 5320-48T-8XE support more than one VRF with IP configuration.

5420 Series

VOSS 8.4

5520 Series

VOSS 8.2.5

5720 Series

Fabric Engine 8.7

7520 Series

Fabric Engine 8.10

7720 Series

Fabric Engine 8.10

VSP 4900 Series

VOSS 8.1

VSP 7400 Series

VOSS 8.0

The switch filter rules are defined using Access Control Entries (ACE). An ACE is an ordered set of filter rules contained in an Access Control List (ACL). ACE rules are divided into the following three components:

  • Operators

  • Attributes

  • Actions

An ACE generally operates on fields in a packet. If a packet field matches an ACE rule, the system executes the action specified. As each packet enters through an interface with an associated ACL, the system scans the ACE list configured on that ACL and matches on the packet fields. If multiple ACE rules are associated with the ACL, the lower ACE ID will have a higher precedence.

Operators

ACEs use operators to match on packet fields. The switch supports the following operators:

  • Equal-to

    This rule operator looks for an exact match with the field defined. If the field matches exactly with the rule, the system will return a match (hit). If the rule does not match, the search continues and at the end of the search a miss is returned.

  • Mask

    ACL-based filters provide the mask operator to match on Layer 2, Layer 3, and Layer 4 packet fields. The mask operator is used to mask bits in packet fields during a search or to match on a partial value of a packet field. This section provides examples of the mask operator.

    If a mask bit is set to 1, it means it is not part of the match criteria (treated as do not care), and a mask bit of 0 means that the value represented is part of the match criteria. You can use the mask operator for the following attributes:

    • source MAC address

    • destination MAC address

    • VLAN ID

    • Dot1p

    • IPv4/IPv6 source address

    • IPv4/IPv6 destination address

    • destination IP address

    • DSCP

    • Layer 4 source port

    • Layer 4 destination port

    • TCP flags

    Note

    Note

    MAC Address cannot be configured as attributes for IPv6 filters.

The syntax for ACL and ACE configuration of a mask is similar to the use of equal operator, except that you provide the mask value. You can specify a mask value (number) to represent the bits to mask in the attribute. You can define a mask in different ways depending on the attribute you need to mask:
  • If you use a decimal number for an IP address mask, it specifies the most significant bits of the provided IP address to match on. For example, a mask of 24 used with an IP address is the same as a mask of 0.0.0.255, and a mask of 8 used with an IP address is the same as a mask of 0.255.255.255.

  • If you use a decimal number for a MAC address mask, it specifies the least significant bits of the provided MAC address to ignore. For example, a mask of 32 used with a MAC address is the same as a mask of 0x0000ffffffff, and a mask of 16 used with a MAC address is the same as a mask of 0x00000000ffff.

Note

Note

Unlike the standard convention, for ACL filter configuration, a mask bit value of '1' specifies a do-not-care bit, and value of '0' signifies must-match bit.

The following table explains the mask operator for MAC addresses.

Table 2. Mask operator for MAC address

Rule

Result

filter acl ace ethernet 10 10 dst-mac mask 01:00:5e:00:00:01 0x000000FFFFFF

The rule matches only on the most significant 24 bits as they are not masked, for example, 01:00:5e, and does not care about the least significant 24 bits because they are masked; the least significant 24 bits can have a value of 00:00:00 - FF:FF:FF.

filter acl ace ethernet 10 10 dst-mac mask 0x01:00:5e:00:00:01 0xFFFFFFFF0000

The rule matches only on the least significant 16 bits because they are not masked, for example, 00:01, and does not care about the most significant 32 bits because they are masked; the most significant 32 bits can have a value of 00:00:00:00 – FF:FF:FF:FF.

filter acl ace ethernet 10 10 dst-mac mask 0x01:00:5e:00:00:01 0xFF00FF0000FF

The rule matches only on the unmasked bits, for example, 0xXX:00:XX:00:00:XX. The rule matches only on the bits not masked, for example, all the zeroes and the x represents a do not care (0xXX:00:XX:00:00:XX)

The following table explains the mask operator for IP addresses.

Table 3. Mask operator for IP address

Rule

Result

filter acl ace ip 10 10 src-ip mask  2.10.10.12 0.255.255.255

The rule matches only the most significant 8 bits, and does not care about the value of the remaining 24 bits as they are considered masked. For example, 10.10.12. Packets with a source IP address of 2.15.16.122 or 2.3.4.5 match on the filter rule while packets with a source IP address of 3.10.10.12 and 4.10.10.12 do not match on the filter rule.

filter acl ace ip 10 10 src-ip mask 3.4.5.6 255.255.255.0

The rule matches only the least significant 8 bits, for example, 6, and does not case about the most significant 24 bits, 3.4.5. Packets with a source IP address of 17.16.5.6 or 192.168.1.6 match on the filter rule while packets with a source IP address of 3.4.5.4 or 3.4.5.7 do not match on the filter rule.

The following table explains the mask operator for Layer 4 source port.

Table 4. Mask operator for Layer 4 source port

Rule

Result

filter acl ace protocol 10 10 src-port mask 80 0xF

The filter rule matches on Layer 4 source port 80 (1010000). The mask value 0xF (1111) masks the least significant 4 bits, which means source port 81 (1010001) through 95 (1011111) also match this filter rule. This means the range 80–95 is a match on this rule.

The following table demonstrates the resulting action based on mask configuration and example packets.

Table 5. Mask operator configuration examples

Filter configuration

Address examples that match the filter

Address examples that do not match the filter

Ethernet mask:

filter acl 1000 type inport
filter acl port 1000 1/5,1/11
filter acl ace 1000 12
filter acl ace ethernet 1000 12 src-mac mask 00:00:11:11:16:00 0x00ff000000f0
filter acl ace action 1000 12 permit count
filter acl ace 1000 12 enable

Source MAC: 00:01:11:11:16:10 00:10:11:11:16:f0 00:1f:11:11:16:10 00:ff:11:11:16:f0 00:00:11:11:16:60 00:e6:11:11:16:e0

Source MAC: 00:00:11:11:16:01 00:ff:11:11:16:f1

filter acl ace 1000 1000
filter acl ace ethernet 1000 1000 dst-mac mask 00:00:00:64:16:00 0x00000060001f
filter acl ace action 1000 1000 deny count
filter acl ace 1000 1000 enable 

Destination MAC: 00:00:00:64:16:01 00:00:00:04:16:01 00:00:00:24:16:1f 00:00:00:64:16:1f 00:00:00:44:16:10 00:00:00:04:16:05

Destination MAC: 00:00:00:24:16:20 00:00:00:64:16:20 00:00:00:63:16:01 00:00:00:65:16:01

IP mask (dotted decimal notation):

filter acl 10 type outport
filter acl port 10 1/13
filter acl ace 10 11
filter acl ace ethernet 10 11 ether-type eq ip
filter acl ace ip 10 11 src-ip mask 192.168.4.0 0.0.0.31
filter acl ace action 10 11 permit count
filter acl ace 10 11 enable

Source IP: 192.168.4.1 192.168.4.10 192.168.4.30 192.168.4.31

Source IP: 192.168.3.1 192.168.4.32

filter acl ace 10 12
filter acl ace ethernet 10 12 ether-type eq ip
filter acl ace ip 10 12 dst-ip mask 192.168.7.0 0.0.0.3
filter acl ace action 10 12 deny count
filter acl ace 10 12 enable 

Destination IP: 192.168.7.1 192.168.7.3

Destination IP: 192.168.7.4 192.168.7.5

IP mask (decimal notation):

filter acl 10 type outport
filter acl port 10 1/13
filter acl ace 10 11
filter acl ace ethernet 10 11 ether-type eq ip
filter acl ace ip 10 11 src-ip mask 192.168.4.0 255.255.255.31
filter acl ace action 10 11 permit count
filter acl ace 10 11 enable

Source IP: 192.168.4.1 192.168.4.10 192.168.4.30 192.168.4.31

Source IP: 192.168.3.1 192.168.4.32

filter acl ace 10 12
filter acl ace ethernet 10 12 ether-type eq ip
filter acl ace ip 10 12 dst-ip mask 192.168.7.0 255.255.255.3
filter acl ace action 10 12 deny count
filter acl ace 10 12 enable 

Destination IP: 192.168.7.1 192.168.7.3

Destination IP: 192.168.7.4 192.168.7.5

Protocol mask:

filter acl 901 type inport
filter acl port 901 1/2
filter acl ace 901 1
filter acl ace ip 901 1 ip-protocol-type eq tcp
filter acl ace protocol 901 1 src-port mask 256 0xff
filter acl ace action 901 1 deny count
filter acl ace 901 1 enable

This mask implies packets with TCP source port 256–511 match the filter, while 0–255 and > 511 miss the filter.

TCP source port 256 TCP source port 356 TCP source port 511

TCP source port 255 TCP source port 512

Attributes

Attributes are fields in a packet (Layer 2, Layer 3, Layer 4) or other information related to the packet on which an ACE rule is applied like slot/port. Attribute list provides a list of all the attributes and the operators that you can apply to them.

If you want to configure IPv6 attributes, you must configure an ACL to filter either IPv6 or non-IPv6 traffic. You can only configure IPv6 attributes for IPv6 packets. You cannot configure IPv6 attributes for non-IPv6 packets.

Table 6. Attribute list

Attribute Name

Operator

Slot/Port

Equal

Destination MAC (IPv4 filters only)

Equal, Mask

Source MAC (IPv4 filters only)

Equal, Mask

VLAN ID

Equal, Mask

.1p bits

Equal, Mask

Ether Type

Equal

ARP Opcode

Equal

Source IP

Equal, Mask

Destination IP

Equal, Mask

Protocol Type

Equal

Type of Service

Equal, Mask

IP Fragmentation

Equal

IP Options

Equal

Layer 4 Destination Port

Equal, Mask

Layer 4 Source Port

Equal, Mask

TCP Flags

Equal, Mask

ICMP Message Type

Equal

Source IPv6 (IPv6 only)

Equal, Mask

Destination IPv6 (IPv6 only)

Equal, Mask

Next header (IPv6 only)

Equal

Traffic class (IPv6 only)

Equal

Routed only

Equal

Actions

Actions occur when the filter rule is hit or missed. The types of actions that the filter configuration can execute are split into two categories:

  • security actions supported by the ACE IDs.

  • QoS actions supported by the ACE IDs.

    Note

    Note

    • Ingress ACLs support security and QoS ACE actions. Egress ACLs do not support QoS ACEs.

The VSP 7400 Series switches use a modified implementation for IPv4 ACL filters. In this implementation, you can apply an IPv4 ACL filter ACE with both Security and QoS actions. The ACE IDs for Primary Bank range from 1-1000 and for Secondary Bank, ACE IDs range from 1001-2000. The switch performs a parallel search on both ACE lists. If actions do not conflict, both actions apply. If actions conflict, the action from the range with higher priority applies.

On VSP 4900 Series switches, filter rules that support security actions and QoS actions are stored separately. The switch performs a parallel search on both security and QoS ACE lists, which can result in distinct and non-conflicting actions.

For more information see ACL Filters Behavior Differences.

If you apply multiple ACE rules, the lower ACE ID has a higher precedence.

The following tables show the supported switch actions:

Table 7. Security ACE Actions

Security ACE Actions

User supplied parameters

Comments

mode

Permit or Deny

Applies to both Ingress and Egress ACLs.

redirect-next-hop

IP address, Mode

Redirects the packet to the user supplied IP address. If the switch cannot resolve ARP for the user-specified next-hop, packets that match the filter are dropped.

Applies to ingress IPv4 ACLs only (routed and Layer 2).

count

None

Collect ACE statistics. Applies to Ingress and Egress ACLs.

monitor-dst-mlt

mlt-id

Applies to Ingress ACLs only.

monitor-dst-ports

Port

Applies to Ingress ACLs only.

monitor I-SID offset

None

The actual monitor I-SID value to which packets are mirrored.

-

Table 8. QoS ACE Actions

QoS ACE Actions

User supplied parameters

Comments

  • remark-dscp

  • remark-dot1p

  • internal-qos

  • DCSP

  • dot1p (ingress only)

  • Internal-qos

Applies to Ingress ACLs.

Note:

remark-dot1p and internal-qos do not apply to IPv6 filtering.

Each QoS action has its own user-supplied parameters.

Note:

Some hardware platforms do not support remark-dot1p and supports remark-DSCP for Layer 3 routed packets only.

count

None

Applies to Ingress and Egress ACLs.

When you configure an IPv6 ACL with an ACE action of remark DSCP for a mirrored packet, the mirrored copy does not include the remark DSCP value. Because of port-mirroring functionality, the mirrored copy does not reflect the changes that occur in the switch to the outgoing packet. As a result, the mirrored copy is not identical to the outgoing packet. For more information, see Port Mirroring.

Internal QoS Level and Remarking

Setting the internal QoS level is an ingress action. Remarking is an egress action.

The internal-qos action assigns a new value to the packet internal-qos. It determines the packet egress queue, outgoing packet dot1p value and egress-DSCP value.

The remark-dot1p action assigns a new dot1p value to the outgoing packet.The remark-DSCP action assigns a new DSCP value to the outgoing packet.

If a packet is filtered by a rule set to internal-qos action only, then the packet internal qos, egress queue, egress dot1p and egress DSCP will be derived from the filter internal-qos value.

If a packet is filtered by a rule set to remark-dot1p only or remark-DSCP only or both remark actions, then the packet will be remarked with the new dot1p or DSCP, or both. However, these remarked values will not have any impact on the interal-qos packet. It will be based on the native packet coming into the switch.

If a packet is filtered by a rule set with all three qos actions, then the internal-qos will determine the egress queue, but the remark-dot1p determines the egress dot1p and the remark-DSCP determines the egress DSCP.

If you want to change the internal QoS for remarked incoming packets, you have to add the permit internal-qos command as shown in the following ACL filter example.

filter acl 10 type inPort name "ACL-CTI"
filter acl port 10 1/2-1/50 
filter acl ace 10 1302 name "CIFS-SCCM Source"
filter acl ace action 10 1302 permit remark-dscp phbaf11 remark-dot1p 1 count
filter acl ace action 10 1302 permit internal-qos 0
filter acl ace ethernet 10 1302 ether-type eq ip
filter acl ace ip 10 1302 src-ip mask 0.0.0.0 255.255.255.255
filter acl ace ip 10 1302 ip-protocol-type eq tcp
filter acl ace protocol 10 1302 src-port mask 0 0xffff

When a packet goes through the switch, the internal QoS level governs which queue the packet uses on egress. To verify which queue the packets are egressing on, use the show qos cosq-stats interface [value] command. For more information, see View Port Egress CoS Queue Statistics or View Port Egress CoS Queue Statistics.

Conflict and Precedence

The switch supports both port-based and VLAN-based ACLs. A port can be associated with both Port-based ACL and a VLAN-based ACL, as shown in Access Control Lists. Within an ACL, a rule match can generate security actions and QoS actions. The system goes through a set of precedence levels to resolve any conflicting actions between port-based ACL and VLAN-based ACL lookup.

The following table provides a list of search results and actions for all possible conflicts between port and VLAN-based ACLs and security and QoS ACE for each ACL.

Table 9. Conflict and Precedence resolution

Port-based ACL look up

Actions performed on Port-based ACL

If VLAN-based ACL is enabled

Actions performed on VLAN-based ACL search

Security

QoS

Security action

QoS action

Security

QoS

Security action

QoS action

Security ACE search is a Miss and ACL mode is Permit.

QoS ACE search is a Miss

Default security statistics collected

Default QoS statistics collected

Security ACE search is a Miss and mode is set to Permit

QoS ACE search is a Miss

Collect default Miss statistics

Collect default Miss statistics

Security ACE search is a Miss and mode is set to Permit

QOS ACE search returns a Hit

Collect default Miss statistics

Execute configured ACE and default ACL actions

Security ACE search is a Miss and mode is set to Deny

Search result is invalid, since security mode is set to Deny

Drop packet and collect default Miss statistics

No action is executed

Security ACE search is a Hit and mode is set to Permit

QOS ACE search returns a Miss

Execute configured ACE and default ACL actions

Collect default Miss statistics

Security ACE search is a Hit and mode is set to Permit

QoS ACE search is a Hit

Execute configured ACE and default ACL actions

Execute configured ACE and default ACL actions

Security ACE search is a Hit and mode is set to Deny

QoS ACE search returns a Hit

Discard the packet and execute configured ACE and global actions

No action is executed

Security ACE is Miss and ACL mode is Deny

Search result is invalid since security mode is set to Deny

Discard the packet and collect default statistics

No action is executed

VLAN-based ACL is not configured

VLAN-based ACL is not configured

No action is executed

No action is executed

Security ACE search is a Miss and ACL mode is set to Permit

QoS ACE search is a Hit

Default search statistics collected

Execute configured ACE and default ACL actions

Security ACE search is a Miss and mode is set to Permit

Port-based ACL's QoS action take precedence. QoS search result invalid.

Collect default Miss statistics

No action is executed

Security ACE search is a Miss and mode is set to Deny

Port-based ACL's QoS action take precedence. QoS search result invalid.

Drop packet and collect default Miss statistics

No action is executed

Security ACE search is a Hit and mode is set to Permit

Port-based ACL's QoS action take precedence. QoS search result invalid.

Execute configured ACE and default ACL actions

No action is executed

Security ACE search is a Hit and mode is set to Deny

Port-based ACL's QoS action take precedence. QoS search result invalid.

Discard the packet and execute configured ACE and global Actions

No action is executed

Security ACE search is a Hit and ACE mode is Permit

QoS ACE search is a Miss

Execute configured ACE and default ACL actions

Collect default Miss statistics

Port-based ACL‘s Security action take precedence. Security search result invalid

QoS ACE search returns a Miss

No action is executed

Collect default Miss statistics

Port-based ACL‘s Security action take precedence. Security search result invalid.

QoS ACE search returns a Hit

No action is executed

Execute configured ACE and default ACL actions

Security ACE search is a Hit and ACE mode is Permit

QoS ACE search is a Hit

Execute configured ACE and default ACL actions

Execute configured ACE and default ACL actions.

Port-based ACL‘s Security action take precedence. Security search result invalid

Port-based ACL‘s QoS action take precedence. QoS search result invalid.

No action is executed

No action is executed

Security ACE search is a Hit and ACE mode is Deny

Search result is invalid since Security mode is set to Deny

Discard the packet and collect default statistics

No action is executed

Port-based ACL‘s Security action take precedence. Security search result invalid

Port-based ACL‘s QoS action take precedence. QoS search result invalid.

No action is executed

No action is executed

Common ACE uses and configuration

The following table describes configurations you can use to perform common actions.

Table 10. Common ACE uses and configurations

Function

ACE configuration

Permit a specific host to access the network

  • Use action permit.

  • Configure the source IP address to be the host IP address.

filter acl ace 1 5 name
"Permit_access_to_198.51.100.0"
filter acl ace action 1 5 permit
filter acl ace ethernet 1 5 ether-type eq ip
filter acl ace ip 1 5 src-ip eq 198.51.100.0
filter acl ace 1 5 enable 

Deny a specific host from accessing the network

  • Use action deny.

  • Configure the source IP address to be the host IP address.

filter acl ace 1 5 name "Deny_access_to_198.51.100.0"
filter acl ace action 1 5 deny
filter acl ace ethernet 1 5 ether-type eq ip
filter acl ace ip 1 5 src-ip eq 198.51.100.0
filter acl ace 1 5 enable  

Permit a specific range of hosts to access the network

  • Use action permit.

  • Configure the source IP address to be the range of host IP addresses.

filter acl ace 1 5 name "Permit_access_to_1.2.3.4-1.2.3.7"
filter acl ace action 1 5 permit
filter acl ace ethernet 1 5 ether-type eq ip
filter acl ace ip 1 5 src-ip mask 1.2.3.4 0.0.0.3
filter acl ace 1 5 enable

Deny Telnet traffic

  • Use action deny.

  • Configure the protocol as TCP and the TCP destination port to be 23.

filter acl ace 1 5 name "Deny_telnet"
filter acl ace action 1 5 deny
filter acl ace ethernet 1 5 ethertype eq ip
filter acl ace ip 1 5 ip-protocol-type eq tcp
filter acl ace protocol 1 5 dst-port eq 23
filter acl ace 1 5 enable

Deny FTP traffic

  • Use action deny.

  • Configure the protocol as TCP and the TCP destination port to be 21.

filter acl ace 1 5 name "Deny_ftp"
filter acl ace action 1 5 deny
filter acl ace ethernet 1 5 ethertype eq ip
filter acl ace ip 1 5 ip-protocoltype eq tcp
filter acl ace protocol 1 5 dst-port eq 21
filter acl ace 1 5 enable