|
|
|
|
|
A MAC ACL consists of a set of rules which are matched sequentially against a packet. When a packet meets the match criteria of a rule, the specified rule action (Permit/Deny) is taken and the additional rules are not checked for a match. On this menu the interfaces to which an MAC ACL applies must be specified, as well as whether it applies to inbound or outbound traffic. Rules for the MAC ACL are specified/created using the MAC ACL Rule Configuration menu.
To configure a MAC ACL:
The MAC ACL Configuration page allows network administrators to define a MAC-based ACL.
To display the MAC ACL Configuration page, click QoS > Access Control Lists > MAC Access Control Lists > Configuration in the navigation menu.
MAC ACL Configuration Fields
Field |
Description |
|---|---|
MAC ACL |
The options in the dropdown menu allow you to create a new MAC ACL or select an existing MAC ACL that you want to rename. |
MAC ACL Name |
Enter a name for the MAC ACL. The name string may include alphabetic, numeric, dash, underscore, or space characters only. The name must start with an alphabetic character. This field displays the name of the currently selected MAC ACL if the ACL has already been created. |
Table |
Identifies the type of table. |
Current Number / Maximum Number |
Shows the current size of the ACL table versus the maximum size of the ACL table. The current size is equal to the number of configured IPv4 and IPv6 ACLs plus the number of configured MAC ACLs. The maximum size is 100 |
To add a MAC ACL, select Create New Extended MAC ACL from the MAC ACL dropdown menu, enter a name for the ACL in the appropriate field, and then click Submit.
To rename a MAC ACL, select the ACL name from the MAC ACL dropdown menu. Enter a new name for the ACL in the appropriate field, and then click Rename. The Rename button only appears if a configured MAC ACL is selected.
To delete a MAC ACL, select the ACL name from the MAC ACL dropdown menu, and then click Delete. The Delete button only appears if a configured MAC ACL is selected.
Use the MAC ACL Summary page to view all MAC ACLs and their related data.
To display the MAC ACL Summary page, click QoS > Access Control Lists > MAC Access Control Lists > Summary in the navigation menu.
MAC ACL Summary Fields
Field |
Description |
|---|---|
MAC ACL Name |
Shows the MACL ACL Identifier. |
Rules |
Shows the number of rules currently configured for the MAC ACL. |
Direction |
Shows the direction of packet traffic affected by the MAC ACL, which can be Inbound or outbound. |
Interface |
Shows the interfaces to which the MAC ACL applies. |
VLAN |
VLAN(s) to which the MACL ACL applies. |
Click Refresh to update the information on the screen.
Use the MAC ACL Rule Configuration page to define rules for MAC-based ACLs. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. A default 'deny all' rule is the last rule of every list.
To display the MAC ACL Rule Configuration page, click QoS > Access Control Lists > MAC Access Control Lists > Rule Configuration in the navigation menu. The fields available on the page depend on whether the rule action is permit or deny, and whether you select Create Rule or an existing rule from the Rule field.
Figure below shows the fields available when Create New Rule is selected in the Rule field.
Figure below shows the fields available when you configure a MAC ACL rule with a Deny action.
Table below shows all possible fields on the MAC ACL Rule Configuration page. The actual fields available on the page depend on whether you create a new rule or modify an existing rule, and whether the rule action is Permit or Deny.
MAC ACL Rule Configuration Fields
Field |
Description |
|---|---|
MAC ACL |
Specifies an existing MAC ACL. To set up a new MAC ACL use the “MAC Access Control Lists” page. |
Rule |
Select an existing Rule ID to modify or select Create Rule to configure a new ACL Rule. Enter a whole number in the range of 1 to 28 that will be used to identify the rule. New rules cannot be created if the maximum number of rules has been reached. For each rule, a packet must match all the specified criteria in order to be true against that rule and for the specified rule action (Permit/Deny) to take place. |
Rule ID |
This field is available only if you select Create Rule from the Rule field. Enter a new Rule ID. After you click Submit, the new ID is created and you can configure the rule settings. You can create up to 10 rules for each ACL. |
Action |
Specify what action should be taken if a packet matches the rule's criteria:
|
Logging |
This field is only visible for a Deny Action. When set to True, logging is enabled for this ACL rule (subject to resource availability in the device). If the Access List Trap Flag is also enabled, this will cause periodic traps to be generated indicating the number of times this rule went into effect during the current report interval. A fixed 5 minute report interval is used for the entire system. A trap is not issued if the ACL rule hit count is zero for the current interval. |
Time Range Name |
Use this field to impose a time limitation on the ACL rule. When you click Configure, you can select a configured time range or create a new named time range. To configure the time range values, use the System > Time Ranges > Time Range Entry Configuration page. If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately. If a time range with specified name exists and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied when the time-range with specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive. |
Assign Queue ID |
This field is only visible when the Action is Permit. Specifies the hardware egress queue identifier used to handle all packets matching this ACL rule. Click Configure, and then enter an identifying number from 0 to 6 in the appropriate field. Click Submit or Cancel to return to the Rule Configuration page. |
Match Every |
Requires a packet to match the criteria of this ACL. Click Configure, and then select True or False from the dropdown list. Then click Submit or Cancel to return to the Rule Configuration page. Match Every is exclusive to the other filtering rules, so if Match Every is True, the other rules on the screen do not appear. False indicates that it is not mandatory for every packet to match the selected ACL Rule. |
Mirror Interface |
This field is only visible when the Action is Permit. Specifies the specific egress interface where the matching traffic stream is copied in addition to being forwarded normally by the device. This field cannot be set if a Redirect Interface is already configured for the ACL rule. |
Redirect Interface |
This field is only visible when the Action is Permit. Specifies the specific egress interface where the matching traffic stream is forced, bypassing any forwarding decision normally performed by the device. This field cannot be set if a Mirror Interface is already configured for the ACL rule. |
CoS |
Specifies the 802.1p user priority to compare against an Ethernet frame. Requires a packet’s class of service (CoS) to match the CoS value listed here. Click Configure, and then enter a CoS value between 0 and 7 to apply this criteria. Click Submit or Cancel to return to the Rule Configuration page. |
Destination MAC Address |
Requires an Ethernet frame’s destination port MAC address to match the address listed here. Click Configure, and then enter a MAC address in the appropriate field. The valid format is xx_xx_xx_xx_xx_xx. The BPDU keyword may be specified using a Destination MAC Address of 01:80:C2:xx:xx:xx. Click Submit or Cancel to return to the Rule Configuration page. |
Destination MAC Mask |
If desired, enter the MAC Mask associated with the Destination MAC to match. The MAC address mask specifies which bits in the destination MAC to compare against an Ethernet frame. Use F’s and zeros in the MAC mask, which is in a wildcard format. An F means that the bit is not checked, and a zero in a bit position means that the data must equal the value given for that bit. |
EtherType Key |
Requires a packet’s EtherType to match the EtherType you select. Click Configure, and then select the EtherType value from the dropdown menu. If you select User Value, you can enter a custom EtherType value. |
Ethertype User Value |
This field only appears if you select User Value from the EtherType dropdown list. The value you enter specifies a customized Ethertype to compare against an Ethernet frame. The valid range of values is (0x0600 to 0xFFFF). |
Source MAC Address |
Requires a packet’s source port MAC address to match the address listed here. Click Configure, and then enter a MAC address in the appropriate field. The valid format is xx:xx:xx:xx:xx:xx. |
Source MAC Mask |
If desired, enter the MAC mask for the source MAC address to match. Use F’s and zeros in the MAC mask, which is in a wildcard format. An F means that the bit is not checked, and a zero in a bit position means that the data must equal the value given for that bit. The valid format is xx:xx:xx:xx:xx:xx. Click Submit or Cancel to return to the Rule Configuration page. |
VLAN |
Requires a packet’s VLAN ID to match the ID listed here. Click Configure, and then enter the VLAN ID to apply this criteria. The valid range is platform specific. Either VLAN Range or VLAN can be configured. Click Submit or Cancel to return to the Rule Configuration page. |
Adding a New Rule to a MAC-based ACL
Once you configure a MAC ACL, you can add rules to the ACL.
Removing a Rule From a MAC-based ACL
Use the MAC ACL Rule Status Summary page to view whether the time-based rule within an ACL is currently active or inactive.
To display the MAC ACL Rule Status Summary page, click QoS > Access Control Lists > MAC Access Control Lists > Rule Status Summary in the navigation menu.
MAC ACL Rule Status Summary Fields
Field |
Description |
|---|---|
MAC ACL |
Shows the user-configured ID number or name associated with the ACL. |
Rules |
Identifies a rule currently configured for the IP ACL. |
Time Range Name |
Identifies the time range associated with the rule. |
Rule Status |
Identifies whether the time-based rule is active. If the current time is outside of the defined time range, the rule is inactive. |
Click Refresh to update the information on the screen.
When an ACL is bound to an interface, all the rules that have been defined are applied to the selected interface. Use the ACL Interface Configuration page to assign ACLs and Interfaces and prioritize the ACLs that are bound to each interface.
To display the ACL Interface Configuration page, click QoS > Access Control Lists > Interface Configuration in the navigation menu.
If an ACL has been assigned to the interface, it displays in the table at the bottom of the page.
ACL Interface Configuration Fields
Field |
Description |
|---|---|
Interface |
Select the interface, LAG, or VLAN routing interface from the dropdown menu. |
Direction |
Specifies the packet filtering direction for the ACL. The system supports Inbound and Outbound filtering. Inbound filtering means the system applies the ACL rules to packets as they enter the interface. |
ACL Type |
Use the menu to select the ACL type to which incoming packets are matched. Packets can be matched to IP-, IPv6-, or MAC-based ACLs. |
IPv4/IPv6/MAC ACL |
Select the ACL of the specified type to apply to the interface from the dropdown menu. |
ACL ID |
Displays the ACL Number or Name identifying the ACL assigned to selected interface and direction. |
Sequence Number |
Assigns the priority of this ACL. If more than one ACL is applied to an interface, then the match criteria for the highest sequence ACLs are checked first. A lower number indicates higher priority. If a sequence number is already in use for this interface and direction, the specified access list replaces the currently attached access list using that sequence number. If you do not specify a sequence number, a sequence number that is one greater than the highest sequence number currently in use for this interface and direction is used. The valid range is 1-4294967295. |
Assigning an ACL to an Interface
NOTE: Whenever an ACL is assigned on a port, LAG, or VLAN, flows from that ingress interface that do not match the ACL are matched to the default rule, which is Drop unmatched packets.
Removing an ACL from an Interface
If an ACL is bound to an interface, the Remove button appears on the page when you select the interface from the Interface dropdown menu. To remove the ACL from the interface, select the type of ACL to remove and its ID or name, and then click Remove. Select the type of ACL in the ACL Type field.
Use this page to configure ACLs to apply to VLANs on your system rather than to ports. At the bottom of the page, the table displays any currently-configured ACLs for the selected VLAN.
To display this page, click QoS > Access Control Lists > VLAN ACL Configuration in the navigation menu.
The table at the bottom of the page displays any currently configured ACLs on the selected VLAN interface.
VLAN-Based ACL Configuration
Field |
Description |
|---|---|
VLAN ID |
Select the VLAN ID that you want to associate an ACL to. |
Direction |
Specifies the packet filtering direction for the ACL. The system supports Inbound and Outbound filtering. Inbound filtering means the system applies the ACL rules to packets as they enter the interface. |
ACL Type |
Use the menu to select the ACL type to which packets are matched. Packets can be matched to IPv4-, IPv6-, and MAC-based ACLs. |
ACL Identifier |
Displays the ACL Number or Name identifying the ACL assigned to the selected VLAN and direction. |
Sequence Number |
Assigns the priority of this ACL. If more than one ACL is applied to an interface, then the match criteria for the highest sequence ACLs are checked first. A lower number indicates higher priority. If a sequence number is already in use for this interface and direction, the specified access list replaces the currently attached access list using that sequence number. If you do not specify a sequence number, a sequence number that is one greater than the highest sequence number currently in use for this interface and direction is used. The valid range is 1-4294967295. |
Use this page to view all ports and VLANs to which an ACL has been applied.
To access the page, click QoS > Access Control Lists > ACL Interface/VLAN Summary.
VLAN-Based ACL Configuration
Field |
Description |
|---|---|
Summary Display Selector |
Select interface or VLAN to display summary. By default summary of Interface-based ACL(s) is displayed. |
Interface |
Displays the interfaces to which the IP ACL applies. |
VLAN ID |
Displays the VLAN(s) to which the IP ACL applies. |
Direction |
The direction of packet traffic affected by the IP ACL. The system supports inbound and outbound filtering. |
ACL Type |
Displays the type of ACL assigned to selected VLAN and direction. |
ACL Identifier |
Displays the ACL Number (for IPv4 ACLs) or the ACL Name (for IPv6 and MAC ACLs), which identifies the ACL assigned to the selected VLAN and direction. |
Sequence Number |
Displays the sequence number signifying the order of specified ACL relative to other ACLs assigned to selected VLAN and direction. |
Click Interface of Vlan Id to display either interface-based or VLAN ID-based ACLs.