•
Defining IP Based ACL•
Defining IPv6 Based ACLs•
Defining ACL BindingDefining MAC Based ACL
The MAC Based ACL Page allows a MAC-based Access Control List (ACL) to be defined. The table lists Access Control Elements (ACE) rules, which can be added only if the ACL is not bound to an interface.
Configuring Device Security
Defining Access Control
4
To define the MAC Based ACL:
STEP 1 Click Security Suite >Access Control > MAC Based ACL. The MAC Based ACL Page opens:
MAC Based ACL Page
The MAC Based ACL Page contains the following fields:
•
ACL Name — Displays the user-defined MAC based ACLs.•
Priority — Indicates the ACE priority, which determines which ACE is matched to a packet on a first-match basis. The possible field values are 1-2147483647.•
Source MAC Address — Defines the source MAC address to match the ACE.•
Source MAC Mask — Defines the source MAC mask to match the ACE.•
Destination MAC Address — Defines the destination MAC address to match the ACE.•
Destination MAC Mask — Defines the destination MAC mask to the which packets are matched.•
VLAN ID — Matches the packet’s VLAN ID to the ACE. The possible field values are 1 to 4093.•
Inner VLAN — Matches the ACE to the inner VLAN ID of a double tagged packet.Configuring Device Security
Defining Access Control
4
•
802.1p — Displays the packet tag value.•
802.1p Mask — Displays the wildcard bits to be applied to the CoS.•
EtherType — Displays the Ethernet type of the packet.•
Action — Indicates the ACL forwarding action. For example, the port can be shut down, a trap can be sent to the network administrator, or packet is assigned rate limiting restrictions for forwarding. Possible field values are:-
Permit — Forwards packets which meet the ACL criteria.-
Deny — Drops packets which meet the ACL criteria.-
Shutdown — Drops packet that meet the ACL criteria, and disables the port to which the packet was addressed. Ports are reactivated from the Edit Interface Settings Page.STEP 2 To remove an ACL, click the Delete ACL button.
STEP 3 To remove an ACE rule, click the rule’s checkbox and click the Delete Rule button.
STEP 4 Click the Add ACL button. The Add MAC Based ACL Page opens:
Add MAC Based ACL Page
The Add MAC Based ACL Page contains the following fields:
•
ACL Name — Displays the user-defined MAC based ACLs.Configuring Device Security
Defining Access Control
4
•
New Rule Priority — Indicates the ACE priority, which determines which ACE is matched to a packet on a first-match basis. The possible field values are 1-2147483647.•
Source MAC Address:-
MAC Address — Matches the source MAC address from which packets are addressed to the ACE.-
Wildcard Mask — Indicates the source MAC Address wildcard mask.Wildcards are used to mask all or part of a source MAC Address.
Wildcard masks specify which octets are used and which octets are ignored. A wildcard mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important. For example, if the source MAC address
09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored.
•
Dest. MAC Address:-
MAC Address — Matches the destination MAC address to which packets are addressed to the ACE.-
Wildcard Mask — Indicates the destination MAC Address wildcard mask. Wildcards are used to mask all or part of a destination MAC Address. Wildcard masks specify which octets are used and which octets are ignored. A wildcard mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important. For example, if the destination IP address09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored.
•
VLAN ID — Matches the packet’s VLAN ID to the ACE. The possible field values are 1 to 4095.•
Inner VLAN — Matches the ACE to the inner VLAN ID of a double tagged packet.•
802.1p — Displays the packet tag value.•
802.1p Mask — Displays the wildcards bits to be applied to the CoS.•
Ethertype — Displays the Ethernet type of the packet.•
Action — Indicates the ACL forwarding action. The possible field values are:Configuring Device Security
Defining Access Control
4
-
Permit — Forwards packets which meet the ACL criteria.-
Deny — Drops packets which meet the ACL criteria.-
Shutdown — Drops packet that meet the ACL criteria, and disables the port to which the packet was addressed.STEP 5 Define the relevant fields.
STEP 6 Click Apply. The MAC Based ACL is defined, and the device is updated.
Adding Rule to MAC Based ACL
STEP 1 Select an existing ACL.
STEP 2 Click the Add Rule button. The Add MAC Based Rule Page opens:
Add MAC Based Rule Page
The Add MAC Based Rule Page contains the following fields:
•
ACL Name — Displays the user-defined MAC based ACLs.•
New Rule Priority — Indicates the ACE priority, which determines which ACE is matched to a packet on a first-match basis. The possible field values are 1-2147483647.•
Source MAC AddressConfiguring Device Security
Defining Access Control
4
-
MAC Address — Matches the source MAC address from which packets are addressed to the ACE.-
Wildcard Mask — Indicates the source MAC Address wildcard mask.Wildcards are used to mask all or part of a source MAC Address.
Wildcard masks specify which octets are used and which octets are ignored. A wildcard mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important. For example, if the source MAC address
09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored.
•
Destination MAC Address-
MAC Address — Matches the destination MAC address to which packets are addressed to the ACE.-
Wildcard Mask — Indicates the destination MAC Address wildcard mask. Wildcards are used to mask all or part of a destination MAC Address. Wildcard masks specify which octets are used and which octets are ignored. A wildcard mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important. For example, if the destination MAC address09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored.
•
VLAN ID — Matches the packet’s VLAN ID to the ACE. The possible field values are 1 to 4095.•
Inner VLAN — Matches the ACE to the inner VLAN ID of a double tagged packet.•
802.1p — Displays the packet tag value.•
802.1p Mask — Displays the wildcard bits to be applied to the CoS.•
Ethertype — Displays the Ethernet type of the packet.•
Action — Indicates the ACL forwarding action. The possible field values are:-
Permit — Forwards packets which meet the ACL criteria.-
Deny — Drops packets which meet the ACL criteria.-
Shutdown — Drops packet that meet the ACL criteria, and disables theConfiguring Device Security
Defining Access Control
4
STEP 3 Define the relevant fields.
STEP 4 Click Apply. The ACL Rule is defined, and the device is updated.
Modifying MAC Based ACL
STEP 1 Click Security Suite >Access Control > MAC Based ACL. The MAC Based ACL Page opens.
STEP 2 Click the Edit button. The Rule Settings Page opens:
Rule Settings Page
The Rule Settings Page contains the following fields:
•
ACL Name — Displays the user-defined MAC based ACLs.•
Rule Priority — Indicates the rule priority, which determines which rule is matched to a packet on a first-match basis.•
Source MAC Address:-
MAC Address — Matches the source MAC address from which packets are addressed to the ACE.-
Wildcard Mask — Indicates the source MAC Address wildcard mask.Wildcards are used to mask all or part of a source MAC Address.
Wildcard masks specify which octets are used and which octets are ignored. A wildcard mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets
Configuring Device Security
Defining Access Control
4
are important. For example, if the source MAC address
09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored.
•
Destination MAC Address:-
MAC Address — Matches the destination MAC address to which packets are addressed to the ACE.-
Wildcard Mask — Indicates the destination MAC Address wildcard mask. Wildcards are used to mask all or part of a destination MAC Address. Wildcard masks specify which octets are used and which octets are ignored. A wildcard mask of ff:ff:ff:ff:ff:ff indicates that no octet is important. A wildcard of 00:00:00:00:00:00 indicates that all the octets are important. For example, if the destination IP address09:00:07:A9:B2:EB and the wildcard mask is 00:ff:00:ff:00:ff, the 1st, 3rd, and 5th octets of the MAC address are checked, while the 2nd, 4th, and 6th octets are ignored.
•
VLAN ID — Matches the packet’s VLAN ID to the ACE. The possible field values are 1 to 4095.•
Inner VLAN — Matches the ACE to the inner VLAN ID of a double tagged packet.•
802.1p — Displays the packet tag value.•
802.1p Mask — Displays the wildcard bits to be applied to the CoS.•
Ethertype — Displays the Ethernet type of the packet.•
Action — Indicates the ACL forwarding action. The possible field values are:-
Permit — Forwards packets which meet the ACL criteria.-
Deny — Drops packets which meet the ACL criteria.-
Shutdown — Drops packet that meet the ACL criteria, and disables the port to which the packet was addressed.STEP 3 Define the relevant fields.
STEP 4 Click Apply. The Rule settings are modified, and the device is updated.
Configuring Device Security
Defining Access Control