Access Control List

This page shows the ACL (Access Control List), which is made up of the ACEs defined on this switch. Each row describes the ACE that is defined. The maximum number of ACEs is 256 on each switch.

Click on the lowest plus sign to add a new ACE to the list. The reserved ACEs used for internal protocol, cannot be edited or deleted, the order sequence cannot be changed and the priority is highest.

Click to expand in new window
../Graphics/config_security_network_acl_acl.png
Object Description
Ingress Port Indicates the ingress port of the ACE. Possible values are:
  • All: The ACE will match all ingress port.
  • Port: The ACE will match a specific ingress port.
Policy / Bitmask Indicates the policy number and bitmask of the ACE.
Frame Type Indicates the frame type of the ACE. Possible values are:
  • Any: The ACE will match any frame type.
  • EType: The ACE will match Ethernet Type frames. Note that an Ethernet Type based ACE will not get matched by IP and ARP frames.
  • ARP: The ACE will match ARP/RARP frames.
  • IPv4: The ACE will match all IPv4 frames.
  • IPv4/ICMP (Internet Control Message Protocol): The ACE will match IPv4 frames with ICMP protocol.
  • IPv4/UDP: The ACE will match IPv4 frames with UDP protocol.
  • IPv4/TCP: The ACE will match IPv4 frames with TCP protocol.
  • IPv4/Other: The ACE will match IPv4 frames, which are not ICMP/UDP/TCP.
  • IPv6: The ACE will match all IPv6 standard frames.
Action Indicates the forwarding action of the ACE.
  • Permit: Frames matching the ACE may be forwarded and learned.
  • Deny: Frames matching the ACE are dropped.
  • Filter: Frames matching the ACE are filtered.
Rate Limiter Indicates the rate limiter number of the ACE. Valid values are 1 – 16. When Disabled is displayed, the rate limiter operation is disabled.
Port Redirect Indicates the port redirect operation of the ACE. Frames matching the ACE are redirected to the port number. The allowed values are Disabled or a specific port number. When Disabled is displayed, the port redirect operation is disabled.
Mirror Specify the mirror operation of this port. Frames matching the ACE are mirrored to the destination mirror port. The allowed values are:
  • Enabled: Frames received on the port are mirrored.
  • Disabled: Frames received on the port are not mirrored.

The default value is Disabled.

Counter The counter indicates the number of times the ACE was hit by a frame.
Modification Buttons You can modify each ACE (Access Control Entry) in the table using the following buttons:

Add : Inserts a new ACE before the current row. 
Edit : Edits the ACE row. 
Up : Moves the ACE up the list. 
Down : Moves the ACE down the list. 
Delete : Deletes the ACE. 
Add : The lowest plus sign adds a new entry at the bottom of the ACE listings.

Buttons
../_Common/../Graphics/auto_refresh.png Refresh the page automatically every three seconds.
../_Common/../Graphics/refresh.png Refresh the page immediately. Any non-committed changes will be lost.
../_Common/../Graphics/clear.png Clear the counters or dynamic entries.
../_Common/../Graphics/remove_all.png Remove all entries.

The ACE Configuration page includes the following fields:

Click to expand in new window
../Graphics/config_security_network_acl_ace.png
Object Description
Ingress Port Select the ingress port for which this ACE applies.
  • All: The ACE applies to all port.
  • Port n: The ACE applies to this port number, where n is the number of the switch port.
Policy Filter Specify the policy number filter for this ACE.
  • Any: No policy filter is specified (policy filter status is “don't-care”).
  • Specific: If you want to filter a specific policy with this ACE, choose this value. Two field for entering a policy value and bitmask appears.
Policy Value When Specific is selected for the policy filter, you can enter a specific policy value. The allowed range is 0 to 255.
Policy Bitmask When Specific is selected for the policy filter, you can enter a specific policy bitmask. The allowed range is 0x0 to 0xff. Notice the usage of bitmask, if the binary bit value is “0”, it means this bit is “don't-care”. The real matched pattern is [policy_value & policy_bitmask]. For example, if the policy value is 3 and the policy bitmask is 0x10 (bit 0 is “don't-care” bit), then policy 2 and 3 are applied to this rule.
Frame Type Select the frame type for this ACE. These frame types are mutually exclusive.
  • Any: Any frame can match this ACE.
  • Ethernet Type: Only Ethernet Type frames can match this ACE. The IEEE 802.3 describes the value of Length/Type Field specifications to be greater than or equal to 1536 decimal (equal to 0600 hexadecimal).
  • ARP: Only ARP frames can match this ACE. Notice the ARP frames won't match the ACE with Ethernet type.
  • IPv4: Only IPv4 frames can match this ACE. Notice the IPv4 frames won't match the ACE with Ethernet type.
  • IPv6: Only IPv6 frames can match this ACE. Notice the IPv6 frames won't match the ACE with Ethernet type.
Action Specify the action to take with a frame that hits this ACE.
  • Permit: The frame that hits this ACE is granted permission for the ACE operation.
  • Deny: The frame that hits this ACE is dropped.
  • Filter: Frames matching the ACE are filtered.
Rate Limiter Specify the rate limiter in number of base units. Valid values are 1 – 16. Disabled indicates that the rate limiter operation is disabled.
Port Redirect Frames that hit the ACE are redirected to the port number specified here. The rate limiter will affect these ports. The allowed range is the same as the switch port number range. Disabled indicates that the port redirect operation is disabled and the specific port number of 'Port Redirect' can't be set when action is permitted.
Mirror Specify the mirror operation of this port. Frames matching the ACE are mirrored to the destination mirror port. The rate limiter will not affect frames on the mirror port.

Valid values are:

  • Enabled: Frames received on the port are mirrored.
  • Disabled: Frames received on the port are not mirrored.

The default value is Disabled.

Logging Specify the logging operation of the ACE. Notice that the logging message doesn't include the 4 bytes CRC information.Valid values are:
  • Enabled: Frames matching the ACE are stored in the System Log.
  • Disabled: Frames matching the ACE are not logged.
Note: The logging feature only works when the packet length is less than 1518 (without VLAN (Virtual LAN) tags) and the System Log memory size and logging rate is limited.
Shutdown Specify the port shut down operation of the ACE. Valid values are:
  • Enabled: If a frame matches the ACE, the ingress port will be disabled.
  • Disabled: Port shut down is disabled for the ACE.
Note: The shutdown feature only works when the packet length is less than 1518 (without VLAN tags).
Counter The counter indicates the number of times the ACE was hit by a frame.
MAC Parameters
SMAC Filter (Only displayed when the frame type is Ethernet Type or ARP.)
Specify the source MAC filter for this ACE.
  • Any: No SMAC filter is specified. (SMAC filter status is “don't-care”.)
  • Specific: If you want to filter a specific source MAC address with this ACE, choose this value. A field for entering an SMAC value appears.
SMAC Value When Specific is selected for the SMAC filter, you can enter a specific source MAC address. Valid format is “xx-xx-xx-xx-xx-xx” or “xx.xx.xx.xx.xx.xx” or “xxxxxxxxxxxx” (x is a hexadecimal digit). A frame that hits this ACE matches this SMAC value.
DMAC Filter Specify the destination MAC filter for this ACE.
  • Any: No DMAC filter is specified. (DMAC filter status is “don't-care”.)
  • MC: Frame must be multicast.
  • BC: Frame must be broadcast.
  • UC: Frame must be unicast.
  • Specific: If you want to filter a specific destination MAC address with this ACE, choose this value. A field for entering a DMAC value appears.
DMAC Value When Specific is selected for the DMAC filter, you can enter a specific destination MAC address. The legal format is “xx-xx-xx-xx-xx-xx” or “xx.xx.xx.xx.xx.xx” or “xxxxxxxxxxxx” (x is a hexadecimal digit). A frame that hits this ACE matches this DMAC value.
VLAN Parameters
802.1Q Tagged Specify whether frames can hit the action according to the 802.1Q tagged. The allowed values are:
  • Any: Any value is allowed (“don't-care”).
  • Enabled: Tagged frame only.
  • Disabled: Untagged frame only.

The default value is Any.

VLAN ID Filter Specify the VLAN ID filter for this ACE.
  • Any: No VLAN ID filter is specified. (VLAN ID filter status is “don't-care”.)
  • Specific: If you want to filter a specific VLAN ID with this ACE, choose this value. A field for entering a VLAN ID number appears.
VLAN ID When Specific is selected for the VLAN ID filter, you can enter a specific VLAN ID number. Valid values are 1 – 4095. A frame that hits this ACE matches this VLAN ID value.
Tag Priority Specify the tag priority for this ACE. A frame that hits this ACE matches this tag priority. Valid values are 0 – 7 or range 0-1, 2-3, 4-5, 6-7, 0-3 and 4-7. The value Any means that no tag priority is specified (tag priority is “don't-care”.)
ARP Parameters
ARP/RARP Specify the available ARP/RARP opcode (OP) flag for this ACE.
  • Any: No ARP/RARP OP flag is specified. (OP is “don't-care”.)
  • ARP: Frame must have ARP opcode set to ARP.
  • RARP: Frame must have RARP opcode set to RARP.
  • Other: Frame has unknown ARP/RARP Opcode flag.
Request/Reply Specify the available Request/Reply opcode (OP) flag for this ACE.
  • Any: No Request/Reply OP flag is specified. (OP is “don't-care”.)
  • Request: Frame must have ARP Request or RARP Request OP flag set.
  • Reply: Frame must have ARP Reply or RARP Reply OP flag.
Sender IP Filter Specify the sender IP filter for this ACE.
  • Any: No sender IP filter is specified. (Sender IP filter is “don't-care”.)
  • Host: Sender IP filter is set to Host. Specify the sender IP address in the SIP Address field that appears.
  • Network: Sender IP filter is set to Network. Specify the sender IP address and sender IP mask in the SIP Address and SIP Mask fields that appear.
Sender IP Address When Host or Network is selected for the sender IP filter, you can enter a specific sender IP address in dotted decimal notation.
Sender IP Mask When Network is selected for the sender IP filter, you can enter a specific sender IP mask in dotted decimal notation.
Target IP Filter Specify the target IP filter for this specific ACE.
  • Any: No target IP filter is specified. (Target IP filter is “don't-care”.)
  • Host: Target IP filter is set to Host. Specify the target IP address in the Target IP Address field that appears.
  • Network: Target IP filter is set to Network. Specify the target IP address and target IP mask in the Target IP Address and Target IP Mask fields that appear.
Target IP Address When Host or Network is selected for the target IP filter, you can enter a specific target IP address in dotted decimal notation.
Target IP Mask When Network is selected for the target IP filter, you can enter a specific target IP mask in dotted decimal notation.
ARP Sender MAC Match Specify whether frames can hit the action according to their sender hardware address field (SHA) settings.
  • 0: ARP frames where SHA is not equal to the SMAC address.
  • 1: ARP frames where SHA is equal to the SMAC address.
  • Any: Any value is allowed (“don't-care”).
RARP Target MAC Match Specify whether frames can hit the action according to their target hardware address field (THA) settings.
  • 0: RARP frames where THA is not equal to the target MAC address.
  • 1: RARP frames where THA is equal to the target MAC address.
  • Any: Any value is allowed (“don't-care”).
IP/Ethernet Length Specify whether frames can hit the action according to their ARP/RARP hardware address length (HLN) and protocol address length (PLN) settings.
  • 0: ARP/RARP frames where the HLN is not equal to Ethernet (0x06) or the (PLN) is not equal to IPv4 (0x04).
  • 1: ARP/RARP frames where the HLN is equal to Ethernet (0x06) and the (PLN) is equal to IPv4 (0x04).
  • Any: Any value is allowed (“don't-care”).
IP Specify whether frames can hit the action according to their ARP/RARP hardware address space (HRD) settings.
  • 0: ARP/RARP frames where the HLD is not equal to Ethernet (1).
  • 1: ARP/RARP frames where the HLD is equal to Ethernet (1).
  • Any: Any value is allowed (“don't-care”).
Ethernet Specify whether frames can hit the action according to their ARP/RARP protocol address space (PRO) settings.
  • 0: ARP/RARP frames where the PRO is not equal to IP (0x800).
  • 1: ARP/RARP frames where the PRO is equal to IP (0x800).
  • Any: Any value is allowed (“don't-care”).
IP Parameters
IP Protocol Filter Specify the IP protocol filter for this ACE.
  • Any: No IP protocol filter is specified (“don't-care”).
  • Specific: If you want to filter a specific IP protocol filter with this ACE, choose this value. A field for entering an IP protocol filter appears.
  • ICMP: Select ICMP to filter IPv4 ICMP protocol frames. Extra fields for defining ICMP parameters will appear. These fields are explained later in this help file.
  • UDP: Select UDP to filter IPv4 UDP protocol frames. Extra fields for defining UDP parameters will appear. These fields are explained later in this help file.
  • TCP: Select TCP to filter IPv4 TCP protocol frames. Extra fields for defining TCP parameters will appear. These fields are explained later in this help file.
IP Protocol Value When Specific is selected for the IP protocol value, you can enter a specific value. Valid values are 1 – 255. A frame that hits this ACE matches this IP protocol value.
IP TTL Specify the Time-to-Live settings for this ACE.
  • zero: IPv4 frames with a Time-to-Live field greater than zero must not be able to match this entry.
  • non-zero: IPv4 frames with a Time-to-Live field greater than zero must be able to match this entry.
  • Any: Any value is allowed (“don't-care”).
IP Fragment Specify the fragment offset settings for this ACE. This involves the settings for the More Fragments (MF) bit and the Fragment Offset (FRAG OFFSET) field for an IPv4 frame.
  • No: IPv4 frames where the MF bit is set or the FRAG OFFSET field is greater than zero must not be able to match this entry.
  • Yes: IPv4 frames where the MF bit is set or the FRAG OFFSET field is greater than zero must be able to match this entry.
  • Any: Any value is allowed (“don't-care”).
IP Option Specify the options flag setting for this ACE.
  • No: IPv4 frames where the options flag is set must not be able to match this entry.
  • Yes: IPv4 frames where the options flag is set must be able to match this entry.
  • Any: Any value is allowed (“don't-care”).
SIP Filter Specify the source IP filter for this ACE.
  • Any: No source IP filter is specified. (Source IP filter is “don't-care”.)
  • Host: Source IP filter is set to Host. Specify the source IP address in the SIP Address field that appears.
  • Network: Source IP filter is set to Network. Specify the source IP address and source IP mask in the SIP Address and SIP Mask fields that appear.
SIP Address When Host or Network is selected for the source IP filter, you can enter a specific SIP address in dotted decimal notation.
SIP Mask When Network is selected for the source IP filter, you can enter a specific SIP mask in dotted decimal notation.
DIP Filter Specify the destination IP filter for this ACE.
  • Any: No destination IP filter is specified. (Destination IP filter is “don't-care”.)
  • Host: Destination IP filter is set to Host. Specify the destination IP address in the DIP Address field that appears.
  • Network: Destination IP filter is set to Network. Specify the destination IP address and destination IP mask in the DIP Address and DIP Mask fields that appear.
DIP Address When Host or Network is selected for the destination IP filter, you can enter a specific DIP address in dotted decimal notation.
DIP Mask When Network is selected for the destination IP filter, you can enter a specific DIP mask in dotted decimal notation.
IPv6 Parameters
Next Header Filter Specify the IPv6 next header filter for this ACE.
  • Any: No IPv6 next header filter is specified (“don't-care”). 
Specific: If you want to filter a specific IPv6 next header filter with this ACE, choose this value. A field for entering an IPv6 next header filter appears.
  • ICMP: Select ICMP to filter IPv6 ICMP protocol frames. Extra fields for defining ICMP parameters will appear. These fields are explained later in this help file.
  • UDP: Select UDP to filter IPv6 UDP protocol frames. Extra fields for defining UDP parameters will appear. These fields are explained later in this help file.
  • TCP: Select TCP to filter IPv6 TCP protocol frames. Extra fields for defining TCP parameters will appear. These fields are explained later in this help file.
Next Header Value When Specific is selected for the IPv6 next header value, you can enter a specific value. Valid values are 0 - 255. A frame that hits this ACE matches this IPv6 protocol value.
SIP Filter Specify the source IPv6 filter for this ACE.
  • Any: No source IPv6 filter is specified. (Source IPv6 filter is “don't-care”.)
  • Specific: Source IPv6 filter is set to Network. Specify the source IPv6 address and source IPv6 mask in the SIP Address fields that appear.
SIP address When Specific is selected for the source IPv6 filter, you can enter a specific SIPv6 address. The field only supported last 32 bits for IPv6 address.
SIP BitMask When Specific is selected for the source IPv6 filter, you can enter a specific SIPv6 mask. The field only supported last 32 bits for IPv6 address. Notice the usage of bitmask, if the binary bit value is 0, it means this bit is “don't-care”. The real matched pattern is [sipv6_address & sipv6_bitmask] (last 32 bits).

For example, if the SIPv6 address is 2001::3 and the SIPv6 bitmask is 0xFFFFFFFE (bit 0 is “don't-care” bit), then SIPv6 address 2001::2 and 2001::3 are applied to this rule.

Hop Limit Specify the hop limit settings for this ACE.
  • zero: IPv6 frames with a hop limit field greater than zero must not be able to match this entry.
  • non-zero: IPv6 frames with a hop limit field greater than zero must be able to match this entry.
  • Any: Any value is allowed (“don't-care”).
ICMP Parameters
ICMP Type Filter Specify the ICMP filter for this ACE.
  • Any: No ICMP filter is specified (ICMP filter status is “don't-care”).
  • Specific: If you want to filter a specific ICMP filter with this ACE, you can enter a specific ICMP value. A field for entering an ICMP value appears.
ICMP Type Value When Specific is selected for the ICMP filter, you can enter a specific ICMP value. Valid values are 0 – 255. A frame that hits this ACE matches this ICMP value.
ICMP Code Filter Specify the ICMP code filter for this ACE.
  • Any: No ICMP code filter is specified (ICMP code filter status is “don't-care”).
  • Specific: If you want to filter a specific ICMP code filter with this ACE, you can enter a specific ICMP code value. A field for entering an ICMP code value appears.
ICMP Code Value When Specific is selected for the ICMP code filter, you can enter a specific ICMP code value. Valid values are 0 – 255. A frame that hits this ACE matches this ICMP code value.
TCP/UDP Parameters
TCP/UDP Source Filter Specify the TCP/UDP source filter for this ACE.
  • Any: No TCP/UDP source filter is specified (TCP/UDP source filter status is “don't-care”).
  • Specific: If you want to filter a specific TCP/UDP source filter with this ACE, you can enter a specific TCP/UDP source value. A field for entering a TCP/UDP source value appears.
  • Range: If you want to filter a specific TCP/UDP source range filter with this

    ACE, you can enter a specific TCP/UDP source range value. A field for entering a TCP/UDP source value appears.

TCP/UDP Source No. When Specific is selected for the TCP/UDP source filter, you can enter a specific TCP/UDP source value. Valid values are 0 – 65535. A frame that hits this ACE matches this TCP/UDP source value.
TCP/UDP Source Range When Range is selected for the TCP/UDP source filter, you can enter a specific TCP/UDP source range value. Valid values are 0 – 65535. A frame that hits this ACE matches this TCP/UDP source value.
TCP/UDP Destination Filter Specify the TCP/UDP destination filter for this ACE.
  • Any: No TCP/UDP destination filter is specified (TCP/UDP destination filter status is “don't-care”).
  • Specific: If you want to filter a specific TCP/UDP destination filter with this ACE, you can enter a specific TCP/UDP destination value. A field for entering a TCP/UDP destination value appears.
  • Range: If you want to filter a specific range TCP/UDP destination filter with this ACE, you can enter a specific TCP/UDP destination range value. A field for entering a TCP/UDP destination value appears.
TCP/UDP Destination Number When Specific is selected for the TCP/UDP destination filter, you can enter a specific TCP/UDP destination value. Valid values are 0 – 65535. A frame that hits this ACE matches this TCP/UDP destination value.
TCP/UDP Destination Range When Range is selected for the TCP/UDP destination filter, you can enter a specific TCP/UDP destination range value. Valid values are 0 – 65535. A frame that hits this ACE matches this TCP/UDP destination value.
TCP FIN Specify the TCP “No more data from sender” (FIN) value for this ACE.
  • 0: TCP frames where the FIN field is set must not be able to match this entry.
  • 1: TCP frames where the FIN field is set must be able to match this entry.
  • Any: Any value is allowed (“don't-care”).
TCP SYN Specify the TCP “Synchronize sequence numbers” (SYN) value for this ACE.
  • 0: TCP frames where the SYN field is set must not be able to match this entry.
  • 1: TCP frames where the SYN field is set must be able to match this entry.
  • Any: Any value is allowed (“don't-care”).
TCP RST Specify the TCP “Reset the connection” (RST) value for this ACE.
  • 0: TCP frames where the RST field is set must not be able to match this entry.
  • 1: TCP frames where the RST field is set must be able to match this entry.
  • Any: Any value is allowed (“don't-care”).
TCP PSH Specify the TCP “Push Function” (PSH) value for this ACE.
  • 0: TCP frames where the PSH field is set must not be able to match this entry.
  • 1: TCP frames where the PSH field is set must be able to match this entry.
  • Any: Any value is allowed (“don't-care”).
TCP ACK Specify the TCP “Acknowledgment field significant” (ACK) value for this ACE.
  • 0: TCP frames where the ACK field is set must not be able to match this entry.
  • 1: TCP frames where the ACK field is set must be able to match this entry.
  • Any: Any value is allowed (“don't-care”).
TCP URG Specify the TCP “Urgent Pointer field significant” (URG) value for this ACE.
  • 0: TCP frames where the URG field is set must not be able to match this entry.
  • 1: TCP frames where the URG field is set must be able to match this entry.
  • Any: Any value is allowed (“don't-care”).
Ethernet Type Parameters
EtherType Filter Specify the Ethernet type filter for this ACE.
  • Any: No EtherType filter is specified (EtherType filter status is “don't-care”).
  • Specific: If you want to filter a specific EtherType filter with this ACE, you can enter a specific EtherType value. A field for entering an EtherType value appears.
Ethernet Type Value When Specific is selected for the EtherType filter, you can enter a specific EtherType value. The allowed range is 0x600 to 0xFFFF, excluding 0x800(IPv4), 0x806(ARP) and 0x86DD(IPv6). A frame that hits this ACE matches this EtherType value.
Buttons
../_Common/../Graphics/save_new.png Save changes.
../_Common/../Graphics/reset_new.png Undo any changes and revert to previously saved values.
../_Common/../Graphics/clear.png Undo any changes and return to the previous page.