EX3500 ACL Extended

About this task

An extended ACL is comprised of access control entries (ACEs). Each ACE specifies a source and destination for matching and filtering traffic to the EX3500 switch.

An ACL affords a system administrator the ability to grant or restrict client access by specifying that traffic from a specific host or a specific network to either be denied or permitted.

IP based firewalls function like Access Control Lists (ACLs) to filter/mark packets, as opposed to filtering packets on layer 2 ports. IP firewalls implement uniquely defined access control policies, so if you do not have an idea of what kind of access to allow or deny, a firewall is of little value, and could provide a false sense of network security.

IP based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying an IP ACL. Firewall rules are processed by a firewall supported device from first to last. When a rule matches the network traffic a controller or service platform is processing, the firewall uses that rule's action to determine whether traffic is allowed or denied.

To configure an extended ACL on EX3500:

Procedure

  1. Select Configuration > Security > IP Firewall > EX3500 ACL Extended from the Web UI.
    Click to expand in new window
    EX3500 ACL Extended Screen
  2. Select Add to create a new ACL, Edit to modify the attributes of an existing ACL, or Delete to remove obsolete ACLs.
    Use Copy to create a copy of the selected ACL and modify it for further use. Use Rename to rename the selected ACL.
  3. Either use Add to create a new EX3500 Extended ACL, or select an existing ACL and click Edit to edit it.
    The following screen displays.
    Click to expand in new window
    EX3500 ACL Extended - Add/Edit Screen

    EX3500 extended ACL configurations can either be modified as a collective group of variables or selected and updated individually if their filtering attributes require a more refined update.

    1. Select the Edit Rule icon to the left of a particular IP firewall rule configuration to update its parameters collectively.
      Click to expand in new window
      EX3500 ACL Extended - Add/Edit - Add Criteria Screen
    2. Click the icon located at the top right-hand side of the screen and select the values as needed to add/hide criteria to the configuration of the extended ACL.
      Click to expand in new window
      EX3500 ACL Extended - Select Fields Screen
  4. Define the following Extended ACL rule settings as required:
    Precedence Specify or modify a precedence for this ACL between 1-128. Rules with lower precedence are always applied to packets first. If modifying a precedence to apply a higher integer, it will move down the table to reflect its lower priority.
    Action Every ACL rule is made up of matching criteria rules. The action defines the action to be performed if it matches the specified criteria. The following actions are supported:
    • Deny - Instructs the firewall to restrict a packet from proceeding to its destination.
    • Permit - Instructs the firewall to allow a packet to proceed to its destination.
    Source Use this drop-down menu to provide the source information. Source IP address can be one of Any, Host, or Network. When selecting Host provide the IP address of the host device. When selecting Network, provide the IP address of the network along with the mask.
    Destination Use this drop-down menu to provide the destination information. Destination IP address can be one of Any, Host or Network. When selecting Host provide the IP address of the host device. When selecting Network, provide the IP address of the network along with the mask.
    Protocol Set a service alias as a set of configurations consisting of protocol and port mappings. Both source and destination ports are configurable. Depending on the selected protocol, other fields might become visible and can be configured.
    Time Range Use the drop-down menu to configure a time range when this ACL is applicable. For more information on configuring time ranges, see EX3500 Time Range.
    DSCP Differentiated Services Code Point is a mechanism that specifies a simple mechanism for classifying and manage network traffic and provide a QoS mechanism. Use the spinner to select a value in the range 0-63. Use this value to classify and mark packets that match the criteria specified in this extended ACL rule.

    Either DSCP or IP Header Precedence can be configured. The two fields cannot be configured together.

    IP Header Precedence Use this field to set the precedence value in the IP Header. Use the spinner to select a value in the range 0-7. Use this value to classify and mark packets that match the criteria specified in this extended ACL rule.

    Either DSCP or IP Header Precedence can be configured. The two fields cannot be configured together.

  5. Select OK when completed to update the EX3500 Extended ACL.
    Select Reset to revert the screen to its last saved configuration.