Configuring an access control list

Use an access control list (ACL) to specify an ordered list of access control entries (ACE), or filter rules. The ACEs provide specific actions for the filter to perform.

About this task

Do not configure IPv4 egress ACL filters on NNI ports because the system-generated egress vIST filter rules and the user-created IPv4 egress rules use the same filter hardware.

To modify an ACL parameter, double-click the parameter you wish to change. Change the value, and then click Apply. You cannot change a parameter that the system displays it dimmed; in this case, delete the ACL, and then configure a new one.

Procedure

  1. In the navigation pane, expand the Configuration > Security > Data Path folders.
  2. Click Advanced Filters (ACE/ACLs).
  3. Click the ACL tab.
  4. Click Insert.
  5. In the AclId field, type an ACL ID, or accept the default value .
  6. In Type, specify the type of ACL.
  7. In the Name field, specify a name for the ACL.
  8. Perform one of the following if the ACL is VLAN-based or port-based:
    1. If the ACL is VLAN-based, click the VlanList ellipsis, and then choose a VLAN list.
    2. If the ACL is port-based, click the PortList ellipsis, and then choose a port list.
  9. Select the desired ports, and then click Ok.
  10. Configure the DefaultAction.
  11. Configure the ControlPktAction.
    Note

    Note

    There is no control packet action support for the InVSN Filter. Control packets go to the CPU after termination.

  12. Enable or disable the State, as required.
  13. In the PktType field, select the packet type to create either IPv4 or IPv6 ACLs.
  14. If the ACL type is inVsn, do the following:
    1. In the MatchType field, select the match type to associate with the ACL that the traffic is ingressing on.
    2. In the Isid field, enter the I-SID associated with the customer VLAN (Layer 2 VSN) or the customer VRF (Layer 3 VSN) or enter 0 for IP shortcut.
  15. Configure the remaining fields, as appropriate.
  16. Click Insert.
  17. To delete an ACL, select the ACL, and then click Delete.

ACL field descriptions

Use the data in the following table to use the ACL tab.

Name

Description

AclId

Specifies a unique identifier for the ACL.

Type

Specifies the ACL type. Valid options are

  • inVlan

  • inPort

  • outPort

  • inVsn

Important:

The inVlan ACLs drop packets if you add a VLAN after ACE creation.

Important:

You can insert an inVsn ACL type for a Switched UNI only if the Switched UNI I-SID is associated with a platform VLAN.

Name

Specifies a descriptive user-defined name for the ACL.

VlanList

For inVlan ACL types, specifies all VLANs to associate with the ACL.

PortList

For inPort and outPort ACL types, specifies the ports to associate with the ACL.

DefaultAction

Specifies the action taken when no ACEs in the ACL match. Valid options are deny and permit, with permit as the default. Deny means the system drops the packets; permit means the system forwards packets.

ControlPktAction

Specifies the action taken for control packets. Valid options are deny and permit.

State

Enables or disables all of the ACEs in the ACL. The default value is enable.

PktType

Indicates the packet type to which this ACL applies.

MirrorMltId

Configures mirroring to a destination MLT.

MirrorDstPortList

Configures mirroring to a destination port or ports.

MatchType

For inVsn ACL types, specifies the match type to associate with the ACL. Valid options are:
  • both for traffic ingressing on both UNI ports and NNI ports terminating on this node

  • terminatingNNIOnly for traffic ingressing on NNI ports only and terminating on this node

  • uniOnly for traffic ingressing on UNI ports only

The default value is both

Isid

For inVsn ACL types, specifies the I-SID associated with the customer VLAN (Layer 2 VSN) or the customer VRF (Layer 3 VSN). This I-SID should already be configured on the fabric node.

The InVSN Filter supports IP Shortcut traffic if the inVsn ACL match type is both. In this case, the I-SID is zero (0).

Important:

You can specify a Switched UNI I-SID if the I-SID is associated with a platform VLAN.

Origin

Indicates the origin of the ACL:
  • config - ACL created by the user.
  • eap - ACL created by Extensible Authentication Protocol (EAP) through Remote Authentication Dial-In User Service (RADIUS) response.

DefaultSvcRate

Note:

Exception: Only supported on VSP 4900 Series, VSP 7400 Series, 5520 Series, and 5420 Series.

Specifies the service rate limit in kbps {8-4000000000}.The granularity is 8 kbps.

DefaultPeakRate
Note:

Exception: Only supported on VSP 4900 Series, VSP 7400 Series, 5520 Series, and 5420 Series.

Specifies the value when exceeded causes packets to drop on ingress. Peak rate limit in kbps {8-4000000000}.The granularity is 8 kbps.