Configuring an access control list

Use an access control list (ACL) to specify an ordered list of access control entries (ACE), or filter rules. The ACEs provide specific actions for the filter to perform.

About this task

Do not configure IPv4 egress ACL filters on NNI ports because the system-generated egress vIST filter rules and the user-created IPv4 egress rules use the same filter hardware.

To modify an ACL parameter, double-click the parameter you wish to change. Change the value, and then click Apply. You cannot change a parameter that the system displays it dimmed; in this case, delete the ACL, and then configure a new one.

Procedure

In the navigation pane, expand the Configuration > Security > Data Path folders.
Click Advanced Filters (ACE/ACLs).
Click the ACL tab.
Click Insert.
In the AclId field, type an ACL ID, or accept the default value .
In Type, specify the type of ACL.
In the Name field, specify a name for the ACL.
Perform one of the following if the ACL is VLAN-based or port-based:
1. If the ACL is VLAN-based, click the VlanList ellipsis, and then choose a VLAN list.
2. If the ACL is port-based, click the PortList ellipsis, and then choose a port list.
Select the desired ports, and then click Ok.
Configure the DefaultAction.
Configure the ControlPktAction.

Note

There is no control packet action support for the InVSN Filter. Control packets go to the CPU after termination.
Enable or disable the State, as required.
In the PktType field, select the packet type to create either IPv4 or IPv6 ACLs.
If the ACL type is inVsn, do the following:
1. In the MatchType field, select the match type to associate with the ACL that the traffic is ingressing on.
2. In the Isid field, enter the I-SID associated with the customer VLAN (Layer 2 VSN) or the customer VRF (Layer 3 VSN) or enter 0 for IP shortcut.
Configure the remaining fields, as appropriate.
Click Insert.
To delete an ACL, select the ACL, and then click Delete.

ACL field descriptions

Use the data in the following table to use the ACL tab.


Name	Description
AclId	Specifies a unique identifier for the ACL.
Type	Specifies the ACL type. Valid options are inVlan inPort outPort inVsn Important: The inVlan ACLs drop packets if you add a VLAN after ACE creation. Important: You can insert an inVsn ACL type for a Switched UNI only if the Switched UNI I-SID is associated with a platform VLAN.
Name	Specifies a descriptive user-defined name for the ACL.
VlanList	For inVlan ACL types, specifies all VLANs to associate with the ACL.
PortList	For inPort and outPort ACL types, specifies the ports to associate with the ACL.
DefaultAction	Specifies the action taken when no ACEs in the ACL match. Valid options are deny and permit, with permit as the default. Deny means the system drops the packets; permit means the system forwards packets.
ControlPktAction	Specifies the action taken for control packets. Valid options are deny and permit.
State	Enables or disables all of the ACEs in the ACL. The default value is enable.
PktType	Indicates the packet type to which this ACL applies.
MirrorMltId	Configures mirroring to a destination MLT.
MirrorDstPortList	Configures mirroring to a destination port or ports.
MatchType	For inVsn ACL types, specifies the match type to associate with the ACL. Valid options are: both for traffic ingressing on both UNI ports and NNI ports terminating on this node terminatingNNIOnly for traffic ingressing on NNI ports only and terminating on this node uniOnly for traffic ingressing on UNI ports only The default value is both
Isid	For inVsn ACL types, specifies the I-SID associated with the customer VLAN (Layer 2 VSN) or the customer VRF (Layer 3 VSN). This I-SID should already be configured on the fabric node. The InVSN Filter supports IP Shortcut traffic if the inVsn ACL match type is both. In this case, the I-SID is zero (0). Important: You can specify a Switched UNI I-SID if the I-SID is associated with a platform VLAN.
Origin	Indicates the origin of the ACL: config - ACL created by the user. eap - ACL created by Extensible Authentication Protocol (EAP) through Remote Authentication Dial-In User Service (RADIUS) response.
DefaultSvcRate Note: Exception: Only supported on VSP 4900 Series, VSP 7400 Series, 5520 Series, and 5420 Series.	Specifies the service rate limit in kbps {8-4000000000}.The granularity is 8 kbps.
DefaultPeakRate Note: Exception: Only supported on VSP 4900 Series, VSP 7400 Series, 5520 Series, and 5420 Series.	Specifies the value when exceeded causes packets to drop on ingress. Peak rate limit in kbps {8-4000000000}.The granularity is 8 kbps.