Access lists control access to the managed network using a set of rules also known as Access Control Entries (ACEs). Each rule specifies an action taken when a packet matches that rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed. A set of deny and/or permit rules based on IP (IPv4 and IPv6) addresses constitutes a IP ACL (Access Control List). Similarly, a set of deny and/or permit rules based on MAC addresses constitutes a MAC ACL.
Within a managed network, IP ACLs are used as firewalls to filter packets and also mark packets. IP based firewall rules are specific to the source and destination IP addresses and have unique precedence orders assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying an IP ACL. With either IPv4 or IPv6, create access rules for traffic entering a controller, service platform, or access point interface, because if you are going to deny specific types of packets, it‘s recommended you do it before the controller, service platform, or access point spends time processing them, since access rules are given priority over other types of firewall rules.
MAC ACLs are firewalls that filter or mark packets based on the MAC address which they arrive, as opposed to filtering packets on layer 2 ports. Optionally filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to controller managed packet traffic.
Once defined, an IP and/or MAC ACL (consisting of a set of firewall rules) must be applied to an interface to be a functional filtering tool.
Firewall supported devices (access points, wireless controllers, and service platforms) process firewall rules (within an IP/MAC ACL) sequentially, in ascending order of their precedence value. When a packet matches a rule, the firewall applies the action specified in the rule to determine whether the traffic is allowed or denied. Once a match is made, the firewall does not process subsequent rules in the ACL.
The WiNG software enables the configuration of IP SNMP ACLs. These ACLs control access by combining IP ACLs with SNMP server community strings.
The following ACLs are supported:
Use IP and MAC commands under the global configuration to create an access list.
Use the (config) instance to configure a new ACL or modify an existing ACL. To navigate to the (config-access-list) instance, use the following commands:
<DEVICE>(config)#ip access-list <IP-ACCESS-LIST-NAME>
<DEVICE>(config)#mac access-list <MAC-ACCESS-LIST-NAME>
<DEVICE>(config)#ipv6 access-list <IPv6-ACCESS-LIST-NAME>
<DEVICE>(config)#ip snmp-access-list <SNMP-ACCESS-LIST-NAME>
<DEVICE>(config)#ex3500-ext-access-list <EX3500-EXT-ACCESS-LIST-NAME>
<DEVICE>(config)#ex3500-std-access-list <EX3500-STD-ACCESS-LIST-NAME>
Note
If creating a new ACL policy, provide a name that uniquely identifies its purpose. The name cannot exceed 32 characters.IPv4 Access List
nx9500-6C8809(config)#ip access-list IPv4ACL nx9500-6C8809(config-ip-acl-IPv4ACL)#? ACL Configuration commands: deny Specify packets to reject disable Disable rule if not needed insert Insert this rule (instead of overwriting a existing rule) no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-ip-acl-IPv4ACL)#
nx9500-6C8809(config)#ipv6 access-list IPv6ACL nx9500-6C8809(config-ipv6-acl-IPv6ACL)#? IPv6 Access Control Mode commands: deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-ipv6-acl-IPv6ACL)#
MAC Access List
nx9500-6C8809(config)#mac access-list MACAcl nx9500-6C8809(config-mac-acl-MACAcl)#? MAC Extended ACL Configuration commands: deny Specify packets to reject disable Disable rule if not needed ex3500 Ex3500 device insert Insert this rule (instead of overwriting a existing rule) no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-mac-acl-MACAcl)#
SNMP Access List
nx9500-6C8809(config)#ip snmp-access-list SNMPAcl nx9500-6C8809(config-ip-snmp-acl-SNMPAcl)#? SNMP ACL Configuration commands: deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-ip-snmp-acl-SNMPAcl)#
The WiNG NOC controller also has the capabilities of adopting and managing EX3500 series switch. These switches are Gigabit Ethernet layer 2 switches with either 24 or 48 10/100/1000-BASE-T ports, and four Small Form Factor Pluggable (SFP) transceiver slots for fiber connectivity. Once adopted to the NOC, various ACLs specifically defined for a EX3500 switch can be used to either prevent or allow specific clients from using it.
The following EX3500 ACLs are supported:
Note
The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore.