Access control entries

Table 1. Access Control Entry product support
Feature	Product	Release introduced
Platform specific considerations for ACL and ACE behavior are documented in ACL Filters Behavior Differences, which is in VOSS User Guide.
QoS Access Control Entries (ACE)	5420 Series	VOSS 8.4
	5520 Series	VOSS 8.2.5
	VSP 4450 Series	VSP 4000 4.0
	VSP 4900 Series	VOSS 8.1
	VSP 7200 Series	VOSS 4.2.1
	VSP 7400 Series	VOSS 8.0
	VSP 8200 Series	VSP 8200 4.0
	VSP 8400 Series	VOSS 4.2
	VSP 8600 Series	VSP 8600 6.2
	XA1400 Series	VOSS 8.0.50
Security ACEs	5420 Series	VOSS 8.4
	5520 Series	VOSS 8.2.5
	VSP 4450 Series	VSP 4000 4.0
	VSP 4900 Series	VOSS 8.1
	VSP 7200 Series	VOSS 4.2.1
	VSP 7400 Series	VOSS 8.0
	VSP 8200 Series	VSP 8200 4.0
	VSP 8400 Series	VOSS 4.2
	VSP 8600 Series	VSP 8600 4.5
	XA1400 Series	VOSS 8.0.50
Filter enhancement - Apply ACE to Routed Packets only	5420 Series	VOSS 8.4
	5520 Series	VOSS 8.4
	VSP 4450 Series	VOSS 8.4
	VSP 4900 Series	VOSS 8.4
	VSP 7200 Series	VOSS 8.4
	VSP 7400 Series	VOSS 8.4
	VSP 8200 Series	VOSS 8.4
	VSP 8400 Series	VOSS 8.4
	VSP 8600 Series	Not Supported
	XA1400 Series	Not Supported
Policy Based Routing (redirect-next-hop)	5420 Series	VOSS 8.4
	5520 Series	VOSS 8.2.5
	VSP 4450 Series	VSP 4450 3.0
	VSP 4900 Series	VOSS 8.1
	VSP 7200 Series	VOSS 4.2.1
	VSP 7400 Series	VOSS 8.0
	VSP 8200 Series	VSP 8200 4.0
	VSP 8400 Series	VOSS 4.2
	VSP 8600 Series	VSP 8600 4.5
	XA1400 Series	VOSS 8.0.50
Policy Based Routing (redirect-next-hop) with VRF support	5420 Series	VOSS 8.4
	5520 Series	VOSS 8.2.5
	VSP 4450 Series	VOSS 6.1
	VSP 4900 Series	VOSS 8.1
	VSP 7200 Series	VOSS 6.1
	VSP 7400 Series	VOSS 8.0
	VSP 8200 Series	VOSS 6.1
	VSP 8400 Series	VOSS 6.1
	VSP 8600 Series	VSP 8600 8.0 demonstration feature
	XA1400 Series	Not Supported

The switch filter rules are defined using Access Control Entries (ACE). An ACE is an ordered set of filter rules contained in an Access Control List (ACL). ACE rules are divided into the following three components:

Operators
Attributes
Actions

An ACE generally operates on fields in a packet. If a packet field matches an ACE rule, the system executes the action specified. As each packet enters through an interface with an associated ACL, the system scans the ACE list configured on that ACL and matches on the packet fields. If multiple ACE rules are associated with the ACL, the lower ACE ID will have a higher precedence.

Operators

ACEs use operators to match on packet fields. The switch supports the following operators:

Equal-to

This rule operator looks for an exact match with the field defined. If the field matches exactly with the rule, the system will return a match (hit). If the rule does not match, the search continues and at the end of the search a miss is returned.
Mask

ACL-based filters provide the mask operator to match on Layer 2, Layer 3, and Layer 4 packet fields. The mask operator is used to mask bits in packet fields during a search or to match on a partial value of a packet field. This section provides examples of the mask operator.

If a mask bit is set to 1, it means it is not part of the match criteria (treated as do not care), and a mask bit of 0 means that the value represented is part of the match criteria. You can use the mask operator for the following attributes:
- source MAC address
- destination MAC address
- VLAN ID
- Dot1p
- IPv4/IPv6 source address
- IPv4/IPv6 destination address
- destination IP address
- DSCP
- Layer 4 source port
- Layer 4 destination port
- TCP flags
Note

MAC Address cannot be configured as attributes for IPv6 filters.

The syntax for ACL and ACE configuration of a mask is similar to the use of equal operator, except that you provide the mask value. You can specify a mask value (number) to represent the bits to mask in the attribute. You can define a mask in different ways depending on the attribute you need to mask:

If you use a decimal number for an IP address mask, it specifies the most significant bits of the provided IP address to match on. For example, a mask of 24 used with an IP address is the same as a mask of 0.0.0.255, and a mask of 8 used with an IP address is the same as a mask of 0.255.255.255.
If you use a decimal number for a MAC address mask, it specifies the least significant bits of the provided MAC address to ignore. For example, a mask of 32 used with a MAC address is the same as a mask of 0x0000ffffffff, and a mask of 16 used with a MAC address is the same as a mask of 0x00000000ffff.

Note

Unlike the standard convention, for ACL filter configuration, a mask bit value of '1' specifies a do-not-care bit, and value of '0' signifies must-match bit.

The following table explains the mask operator for MAC addresses.

Table 2. Mask operator for MAC address
Rule	Result
filter acl ace ethernet 10 10 dst-mac mask 01:00:5e:00:00:01 0x000000FFFFFF	The rule matches only on the most significant 24 bits as they are not masked, for example, 01:00:5e, and does not care about the least significant 24 bits because they are masked; the least significant 24 bits can have a value of 00:00:00 - FF:FF:FF.
filter acl ace ethernet 10 10 dst-mac mask 0x01:00:5e:00:00:01 0xFFFFFFFF0000	The rule matches only on the least significant 16 bits because they are not masked, for example, 00:01, and does not care about the most significant 32 bits because they are masked; the most significant 32 bits can have a value of 00:00:00:00 – FF:FF:FF:FF.
filter acl ace ethernet 10 10 dst-mac mask 0x01:00:5e:00:00:01 0xFF00FF0000FF	The rule matches only on the unmasked bits, for example, 0xXX:00:XX:00:00:XX. The rule matches only on the bits not masked, for example, all the zeroes and the x represents a do not care (0xXX:00:XX:00:00:XX)

The following table explains the mask operator for IP addresses.

Table 3. Mask operator for IP address
Rule	Result
filter acl ace ip 10 10 src-ip mask 2.10.10.12 0.255.255.255	The rule matches only the most significant 8 bits, and does not care about the value of the remaining 24 bits as they are considered masked. For example, 10.10.12. Packets with a source IP address of 2.15.16.122 or 2.3.4.5 match on the filter rule while packets with a source IP address of 3.10.10.12 and 4.10.10.12 do not match on the filter rule.
filter acl ace ip 10 10 src-ip mask 3.4.5.6 255.255.255.0	The rule matches only the least significant 8 bits, for example, 6, and does not case about the most significant 24 bits, 3.4.5. Packets with a source IP address of 17.16.5.6 or 192.168.1.6 match on the filter rule while packets with a source IP address of 3.4.5.4 or 3.4.5.7 do not match on the filter rule.

The following table explains the mask operator for Layer 4 source port.

Table 4. Mask operator for Layer 4 source port
Rule	Result
filter acl ace protocol 10 10 src-port mask 80 0xF	The filter rule matches on Layer 4 source port 80 (1010000). The mask value 0xF (1111) masks the least significant 4 bits, which means source port 81 (1010001) through 95 (1011111) also match this filter rule. This means the range 80–95 is a match on this rule.

The following table demonstrates the resulting action based on mask configuration and example packets.

Table 5. Mask operator configuration examples
Filter configuration	Address examples that match the filter	Address examples that do not match the filter
Ethernet mask: filter acl 1000 type inport filter acl port 1000 6/5,9/11 filter acl ace 1000 12 filter acl ace ethernet 1000 12 src-mac mask 00:00:11:11:16:00 0x00ff000000f0 filter acl ace action 1000 12 permit count filter acl ace 1000 12 enable	Source MAC: 00:01:11:11:16:10 00:10:11:11:16:f0 00:1f:11:11:16:10 00:ff:11:11:16:f0 00:00:11:11:16:60 00:e6:11:11:16:e0	Source MAC: 00:00:11:11:16:01 00:ff:11:11:16:f1
filter acl ace 1000 1000 filter acl ace ethernet 1000 1000 dst-mac mask 00:00:00:64:16:00 0x00000060001f filter acl ace action 1000 1000 deny count filter acl ace 1000 1000 enable	Destination MAC: 00:00:00:64:16:01 00:00:00:04:16:01 00:00:00:24:16:1f 00:00:00:64:16:1f 00:00:00:44:16:10 00:00:00:04:16:05	Destination MAC: 00:00:00:24:16:20 00:00:00:64:16:20 00:00:00:63:16:01 00:00:00:65:16:01
IP mask (dotted decimal notation): filter acl 10 type outport filter acl port 10 5/13 filter acl ace 10 11 filter acl ace ethernet 10 11 ether-type eq ip filter acl ace ip 10 11 src-ip mask 192.168.4.0 0.0.0.31 filter acl ace action 10 11 permit count filter acl ace 10 11 enable	Source IP: 192.168.4.1 192.168.4.10 192.168.4.30 192.168.4.31	Source IP: 192.168.3.1 192.168.4.32
filter acl ace 10 12 filter acl ace ethernet 10 12 ether-type eq ip filter acl ace ip 10 12 dst-ip mask 192.168.7.0 0.0.0.3 filter acl ace action 10 12 deny count filter acl ace 10 12 enable	Destination IP: 192.168.7.1 192.168.7.3	Destination IP: 192.168.7.4 192.168.7.5
IP mask (decimal notation): filter acl 10 type outport filter acl port 10 5/13 filter acl ace 10 11 filter acl ace ethernet 10 11 ether-type eq ip filter acl ace ip 10 11 src-ip mask 192.168.4.0 255.255.255.31 filter acl ace action 10 11 permit count filter acl ace 10 11 enable	Source IP: 192.168.4.1 192.168.4.10 192.168.4.30 192.168.4.31	Source IP: 192.168.3.1 192.168.4.32
filter acl ace 10 12 filter acl ace ethernet 10 12 ether-type eq ip filter acl ace ip 10 12 dst-ip mask 192.168.7.0 255.255.255.3 filter acl ace action 10 12 deny count filter acl ace 10 12 enable	Destination IP: 192.168.7.1 192.168.7.3	Destination IP: 192.168.7.4 192.168.7.5
Protocol mask: filter acl 901 type inport filter acl port 901 6/2 filter acl ace 901 1 filter acl ace ip 901 1 ip-protocol-type eq tcp filter acl ace protocol 901 1 src-port mask 256 0xff filter acl ace action 901 1 deny count filter acl ace 901 1 enable This mask implies packets with TCP source port 256–511 match the filter, while 0–255 and > 511 miss the filter.	TCP source port 256 TCP source port 356 TCP source port 511	TCP source port 255 TCP source port 512

Attributes

Attributes are fields in a packet (Layer 2, Layer 3, Layer 4) or other information related to the packet on which an ACE rule is applied like slot/port. The list of all the attributes and the operators that could be applied on them are listed below.

If you want to configure IPv6 attributes, you must configure an ACL to filter either IPv6 or non-IPv6 traffic. You can only configure IPv6 attributes for IPv6 packets. You cannot configure IPv6 attributes for non-IPv6 packets.

Table 6. Attribute list
Attribute Name	Operator
Slot/Port	Equal
Destination MAC (IPv4 filters only)	Equal, Mask
Source MAC (IPv4 filters only)	Equal, Mask
VLAN ID	Equal, Mask
.1p bits	Equal, Mask
Ether Type	Equal
ARP Opcode	Equal
Source IP	Equal, Mask
Destination IP	Equal, Mask
Protocol Type	Equal
Type of Service	Equal, Mask
IP Fragmentation	Equal
IP Options	Equal
Layer 4 Destination Port	Equal, Mask
Layer 4 Source Port	Equal, Mask
TCP Flags	Equal, Mask
ICMP Message Type	Equal
Source IPv6 (IPv6 only)	Equal, Mask
Destination IPv6 (IPv6 only)	Equal, Mask
Next header (IPv6 only)	Equal
Traffic class (IPv6 only)	Equal
Routed only	Equal

Actions

Actions occur when the filter rule is hit or missed. The types of actions that the filter configuration can execute are split into two categories:

security actions supported by the ACE IDs.
QoS actions supported by the ACE IDs.
Note
- Ingress ACLs support security and QoS ACE actions. Egress ACLs do not support QoS ACEs.

Filter rules that support Security actions and QoS actions are stored separately. If an ACL filter is applied to a traffic flow, the switch performs a parallel search on both Security and QoS ACE lists, which results in distinct and non-conflicting actions.

Note

The ACE ID range for both security and QoS actions is different for different hardware platforms. Parallel search is not supported on all hardware platforms. For more information, see ACL Filters Behavior Differences.

The following tables show the supported switch actions:

Table 7. Security ACE Actions
Security ACE Actions	User supplied parameters	Comments
mode	Permit or Deny	Applies to both Ingress and Egress ACLs.
redirect-next-hop	IP address, Mode	Redirects the packet to the user supplied IP address. If the switch cannot resolve ARP for the user-specified next-hop, packets that match the filter are dropped. Note: The filter does not redirect packets with a time-to-live (TTL) of 1 nor does it send them to the CPU where the CPU would generate ICMP TTL expired messages. IP Traceroute reports a timeout for the hop. Note: The filter with policer only redirects the traffic that passes the policer. For instance, if the stream is 100 Mbps and the policer peak rate is 50 Mbps, only 50 Mbps is redirected. Applies to ingress IPv4 ACLs only (routed and Layer 2).
count	None	Collect ACE statistics. Applies to Ingress and Egress ACLs.
monitor-dst-mlt	mlt-id	Applies to Ingress ACLs only.
monitor-dst-ports	Port	Applies to Ingress ACLs only.
monitor I-SID offset	None	The actual monitor I-SID value to which packets are mirrored. Note: This action is not supported on all hardware platforms.

Table 8. QoS ACE Actions
QoS ACE Actions	User supplied parameters	Comments
remark-dscp remark-dot1p internal-qos	DCSP dot1p (ingress only) Internal-qos	Applies to Ingress ACLs. Note: remark-dot1p and internal-qos do not apply to IPv6 filtering. Each QoS action has its own user-supplied parameters. Note: Some hardware platforms do not support remark-dot1p and supports remark-DSCP for Layer 3 routed packets only.
count	None	Applies to Ingress and Egress ACLs.

When you configure an IPv6 ACL with an ACE action of remark DSCP for a mirrored packet, the mirrored copy does not include the remark DSCP value. Because of port-mirroring functionality on VSP 7400 Series, 5520 Series, 5420 Series, VSP 8400 Series, and VSP 4900 Series, the mirrored copy does not reflect the changes that occur in the switch to the outgoing packet. As a result, the mirrored copy is not identical to the outgoing packet. For more information, see Port Mirroring.

Internal QoS Level and Remarking

Setting the internal QoS level is an ingress action. Remarking is an egress action.

The internal-qos action assigns a new value to the packet internal-qos. It determines the packet egress queue, outgoing packet dot1p value and egress-DSCP value.

The remark-dot1p action assigns a new dot1p value to the outgoing packet.The remark-DSCP action assigns a new DSCP value to the outgoing packet.

If a packet is filtered by a rule set to internal-qos action only, then the packet internal qos, egress queue, egress dot1p and egress DSCP will be derived from the filter internal-qos value.

If a packet is filtered by a rule set to remark-dot1p only or remark-DSCP only or both remark actions, then the packet will be remarked with the new dot1p or DSCP, or both. However, these remarked values will not have any impact on the interal-qos packet. It will be based on the native packet coming into the switch.

If a packet is filtered by a rule set with all three qos actions, then the internal-qos will determine the egress queue, but the remark-dot1p determines the egress dot1p and the remark-DSCP determines the egress DSCP.

If you want to change the internal QoS for remarked incoming packets, you have to add the permit internal-qos command as shown in the following ACL filter example.

filter acl 10 type inPort name "ACL-CTI"
filter acl port 10 1/2-1/50 
filter acl ace 10 1302 name "CIFS-SCCM Source"
filter acl ace action 10 1302 permit remark-dscp phbaf11 remark-dot1p 1 count
filter acl ace action 10 1302 permit internal-qos 0
filter acl ace ethernet 10 1302 ether-type eq ip
filter acl ace ip 10 1302 src-ip mask 0.0.0.0 255.255.255.255
filter acl ace ip 10 1302 ip-protocol-type eq tcp
filter acl ace protocol 10 1302 src-port mask 0 0xffff

When a packet goes through the switch, the internal QoS level governs which queue the packet uses on egress. To verify which queue the packets are egressing on, use the show qos cosq-stats interface [value] command. For more information, see View Port Egress CoS Queue Statistics or Viewing port egress CoS queue statistics.

Conflict and Precedence

The switch supports both port-based and VLAN-based ACLs. A port can be associated with both Port-based ACL and a VLAN-based ACL, as shown in Access control lists. Within an ACL, a rule match can generate security actions and QoS actions. The system goes through a set of precedence levels to resolve any conflicting actions between port-based ACL and VLAN-based ACL lookup. The following table provides a list of search results and actions for all possible conflicts between port and VLAN-based ACLs and security and QoS ACE for each ACL.

Table 9. Conflict and Precedence resolution
Port-based ACL look up		Actions performed on Port-based ACL		If VLAN-based ACL is enabled		Actions performed on VLAN-based ACL search
Security	QoS	Security action	QoS action	Security	QoS	Security action	QoS action
Security ACE search is a Miss and ACL mode is Permit.	QoS ACE search is a Miss	Default security statistics collected	Default QoS statistics collected	Security ACE search is a Miss and mode is set to Permit	QoS ACE search is a Miss	Collect default Miss statistics	Collect default Miss statistics
				Security ACE search is a Miss and mode is set to Permit	QOS ACE search returns a Hit	Collect default Miss statistics	Execute configured ACE and default ACL actions
				Security ACE search is a Miss and mode is set to Deny	Search result is invalid, since security mode is set to Deny	Drop packet and collect default Miss statistics	No action is executed
				Security ACE search is a Hit and mode is set to Permit	QOS ACE search returns a Miss	Execute configured ACE and default ACL actions	Collect default Miss statistics
				Security ACE search is a Hit and mode is set to Permit	QoS ACE search is a Hit	Execute configured ACE and default ACL actions	Execute configured ACE and default ACL actions
				Security ACE search is a Hit and mode is set to Deny	QoS ACE search returns a Hit	Discard the packet and execute configured ACE and global actions	No action is executed
Security ACE is Miss and ACL mode is Deny	Search result is invalid since security mode is set to Deny	Discard the packet and collect default statistics	No action is executed	VLAN-based ACL is not configured	VLAN-based ACL is not configured	No action is executed	No action is executed
Security ACE search is a Miss and ACL mode is set to Permit	QoS ACE search is a Hit	Default search statistics collected	Execute configured ACE and default ACL actions	Security ACE search is a Miss and mode is set to Permit	Port-based ACL's QoS action take precedence. QoS search result invalid.	Collect default Miss statistics	No action is executed
				Security ACE search is a Miss and mode is set to Deny	Port-based ACL's QoS action take precedence. QoS search result invalid.	Drop packet and collect default Miss statistics	No action is executed
				Security ACE search is a Hit and mode is set to Permit	Port-based ACL's QoS action take precedence. QoS search result invalid.	Execute configured ACE and default ACL actions	No action is executed
				Security ACE search is a Hit and mode is set to Deny	Port-based ACL's QoS action take precedence. QoS search result invalid.	Discard the packet and execute configured ACE and global Actions	No action is executed
Security ACE search is a Hit and ACE mode is Permit	QoS ACE search is a Miss	Execute configured ACE and default ACL actions	Collect default Miss statistics	Port-based ACL‘s Security action take precedence. Security search result invalid	QoS ACE search returns a Miss	No action is executed	Collect default Miss statistics
Security ACE search is a Hit and ACE mode is Permit	QoS ACE search is a Miss	Execute configured ACE and default ACL actions	Collect default Miss statistics	Port-based ACL‘s Security action take precedence. Security search result invalid.	QoS ACE search returns a Hit	No action is executed	Execute configured ACE and default ACL actions
Security ACE search is a Hit and ACE mode is Permit	QoS ACE search is a Hit	Execute configured ACE and default ACL actions	Execute configured ACE and default ACL actions.	Port-based ACL‘s Security action take precedence. Security search result invalid	Port-based ACL‘s QoS action take precedence. QoS search result invalid.	No action is executed	No action is executed
Security ACE search is a Hit and ACE mode is Deny	Search result is invalid since Security mode is set to Deny	Discard the packet and collect default statistics	No action is executed	Port-based ACL‘s Security action take precedence. Security search result invalid	Port-based ACL‘s QoS action take precedence. QoS search result invalid.	No action is executed	No action is executed

Common ACE uses and configuration

The following table describes configurations you can use to perform common actions.

Table 10. Common ACE uses and configurations
Function	ACE configuration
Permit a specific host to access the network	Use action permit. Configure the source IP address to be the host IP address. filter acl ace 1 5 name "Permit_access_to_198.51.100.0" filter acl ace action 1 5 permit filter acl ace ethernet 1 5 ether-type eq ip filter acl ace ip 1 5 src-ip eq 198.51.100.0 filter acl ace 1 5 enable
Deny a specific host from accessing the network	Use action deny. Configure the source IP address to be the host IP address. filter acl ace 1 5 name "Deny_access_to_198.51.100.0" filter acl ace action 1 5 deny filter acl ace ethernet 1 5 ether-type eq ip filter acl ace ip 1 5 src-ip eq 198.51.100.0 filter acl ace 1 5 enable
Permit a specific range of hosts to access the network	Use action permit. Configure the source IP address to be the range of host IP addresses. filter acl ace 1 5 name "Permit_access_to_1.2.3.4-1.2.3.7" filter acl ace action 1 5 permit filter acl ace ethernet 1 5 ether-type eq ip filter acl ace ip 1 5 src-ip mask 1.2.3.4 0.0.0.3 filter acl ace 1 5 enable
Deny Telnet traffic	Use action deny. Configure the protocol as TCP and the TCP destination port to be 23. filter acl ace 1 5 name "Deny_telnet" filter acl ace action 1 5 deny filter acl ace ethernet 1 5 ethertype eq ip filter acl ace ip 1 5 ip-protocol-type eq tcp filter acl ace protocol 1 5 dst-port eq 23 filter acl ace 1 5 enable
Deny FTP traffic	Use action deny. Configure the protocol as TCP and the TCP destination port to be 21. filter acl ace 1 5 name "Deny_ftp" filter acl ace action 1 5 deny filter acl ace ethernet 1 5 ethertype eq ip filter acl ace ip 1 5 ip-protocoltype eq tcp filter acl ace protocol 1 5 dst-port eq 21 filter acl ace 1 5 enable