Configuring Acl
2018-03-02
: Tp-Link Configuring Acl configuring_acl configurationguide
Open the PDF directly: View PDF .
Page Count: 51
Download | |
Open PDF In Browser | View PDF |
Configuring ACL CHAPTERS 1. Overview 2. ACL Configuration 3. Configuration Example for ACL 4. Appendix: Default Parameters Configuring ACL Overview This guide applies to: T1500G-10PS v2 or above, T1500G-8T v2 or above, T1500G-10MPS v2 or above, T1500-28PCT v3 or above, T1600G-52TS v3 or above, T1600G-52PS v3 or above, T1600G-28PS v3 or above, T1600G-28TS v3 or above, T1600G-18TS v2 or above, T2600G-52TS v3 or above, T2600G-28TS v3 or above, T2600G-28MPS v3 or above, T2600G-28SQ v1 or above. 1 Overview ACL (Access Control List) filters traffic as it passes through a switch, and permits or denies packets crossing specified interfaces or VLANs. It accurately identifies and processes the packets based on the ACL rules. In this way, ACL helps to limit network traffic, manage network access behaviors, forward packets to specified ports and more. To configure ACL, follow these steps: 1) Configure a time range during which the ACL is in effect. 2) Create an ACL and configure the rules to filter different packets. 3) Bind the ACL to a port or VLAN to make it effective. Configuration Guidelines A packet “matches” an ACL rule when it meets the rule’s matching criteria. The resulting action will be either to “permit” or “deny” the packet that matches the rule. If no ACL rule is configured, the packets will be forwarded without being processed by the ACL. If there is configured ACL rules and no matching rule is found, the packets will be dropped. Configuration Guide 1 Configuring ACL ACL Configuration 2 ACL Configuration 2.1 Using the GUI 2.1.1 Configuring Time Range Some ACL-based services or features may need to be limited to take effect only during a specified time period. In this case, you can configure a time range for the ACL. For details about Time Range configuration, please refer to Managing System. 2.1.2 Creating an ACL You can create different types of ACL and define the rules based on source MAC or IP address, destination MAC or IP address, protocol type, port number and so on. MAC ACL: MAC ACL uses source and destination MAC address for matching operations. IP ACL: IP ACL uses source and destination IP address, IP protocols and so on for matching operations. Combined ACL: Combined ACL uses source and destination MAC address, and source and destination IP address for matching operations. IPv6 ACL: IPv6 ACL uses source and destination IPv6 address for matching operations. Packet Content ACL: Packet Content ACL analyzes and processes data packets based on 4 chunk match conditions, each chunk can specify a user-defined 4-byte segment carried in the packet’s first 128 bytes. Only T2600G series support this feature. Choose the menu SECURITY > ACL > ACL Config and click page. Figure 2-1 to load the following Creating an ACL Follow these steps to create an ACL: 1) Choose one ACL type and enter a number to identify the ACL. Configuration Guide 2 Configuring ACL ACL Configuration 2) (Optional) Assign a name to the ACL. 3) Click Create. Note: The supported ACL type and ID range varies on different switch models. Please refer to the on-screen information. 2.1.3 Configuring ACL Rules The created ACL will be displayed on the SECURITY > ACL > ACL Config page. Figure 2-2 Editing ACL Click Edit ACL in the Operation column. Then you can configure rules for this ACL. The following sections introduce how to configure MAC ACL, IP ACL, Combined ACL, IPv6 ACL and Packet Content ACL. Configuring MAC ACL Rule Click Edit ACL for a MAC ACL entry to load the following page. Figure 2-3 Configuring the MAC ACL Rule In ACL Rules Table section, click and the following page will appear. Configuration Guide 3 Configuring ACL Figure 2-4 ACL Configuration Configuring the MAC ACL Rule Follow these steps to configure the MAC ACL rule: 1) In the MAC ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL. If you select Auto Assign, the rule ID will be assigned automatically and the interval between rule IDs is 5. Operation Select an action to be taken when a packet matches the rule. Permit: To forward the matched packets. Deny: To discard the matched packets. S-MAC/Mask Enter the source MAC address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. D-MAC/Mask Enter the destination MAC address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. VLAN ID Enter the ID number of the VLAN to which the ACL will apply. Configuration Guide 4 Configuring ACL ACL Configuration EtherType Specify the EtherType to be matched using 4 hexadecimal numbers. User Priority Specify the User Priority to be matched. Time Range Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM > Time Range page. Logging Enable Logging function for the ACL rule. Then the times that the rule is matched will be logged every 5 minutes and a related trap will be generated. You can refer to Total Matched Counter in the ACL Rules Table to view the matching times. 2) In the Policy section, enable or disable the Mirroring feature for the matched packets. With this option enabled, choose a destination port to which the packets will be mirrored. Figure 2-5 Configuring Mirroring 3) In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected. Figure 2-6 Configuring Redirect Note: In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded only on the destination port. 4) In the Policy section, enable or disable the Rate Limit feature for the matched packets. With this option enabled, configure the related parameters. Configuration Guide 5 Configuring ACL Figure 2-7 ACL Configuration Configuring Rate Limit Rate Specify the transmission rate for the matched packets. Burst Size Specify the maximum number of bytes allowed in one second. Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally. Drop: The packets will be discarded. Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets will be changed to the specified one. T1500 series, T1600G-18TS, T1600G-28TS and T1600G-28PS do not support this option. 5) In the Policy section, enable or disable the QoS Remark feature for the matched packets. With this option enabled, configure the related parameters, and the remarked values will take effect in the QoS processing on the switch. Figure 2-8 Configuring QoS Remark DSCP Specify the DSCP field for the matched packets. The DSCP field of the packets will be changed to the specified one. Local Priority Specify the local priority for the matched packets. The local priority of the packets will be changed to the specified one. 802.1p Priority Specify the 802.1p priority for the matched packets. The 802.1p priority of the packets will be changed to the specified one. 6) Click Apply. Configuring IP ACL Rule Click Edit ACL for an IP ACL entry to load the following page. Configuration Guide 6 Configuring ACL Figure 2-9 ACL Configuration Configuring the IP ACL Rule In ACL Rules Table section, click Figure 2-10 and the following page will appear. Configuring the IP ACL Rule Follow these steps to configure the IP ACL rule: Configuration Guide 7 Configuring ACL ACL Configuration 1) In the IP ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL. If you select Auto Assign, the rule ID will be assigned automatically and the interval between rule IDs is 5. Operation Select an action to be taken when a packet matches the rule. Permit: To forward the matched packets. Deny: To discard the matched packets. Fragment With this option selected, the rule will be applied to all fragment packets except for the last fragment packet in the fragment packet group. T1500 series, T1600G-18TS, T1600G-28TS and T1600G-28PS do not support this option. S-IP/Mask Enter the source IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. D-IP/Mask Enter the destination IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. IP Protocol Select a protocol type from the drop-down list. The default is No Limit, which indicates that packets of all protocols will be matched. You can also select Userdefined to customize the IP protocol. TCP Flag If TCP protocol is selected, you can configure the TCP Flag to be used for the rule’s matching operations. There are six flags and each has three options, which are *, 0 and 1. The default is *, which indicates that the flag is not used for matching operations. URG: Urgent flag. ACK: Acknowledge flag. PSH: Push flag. RST: Reset flag. SYN: Synchronize flag. FIN: Finish flag. S-Port / D-Port If TCP/UDP is selected as the IP protocol, specify the source and destination port number with a mask. Value: Specify the port number. Mask: Specify the port mask with 4 hexadacimal numbers. DSCP Specify a DSCP value to be matched between 0 and 63. The default is No Limit. IP ToS Specify an IP ToS value to be matched between 0 and 15. The default is No Limit. Configuration Guide 8 Configuring ACL ACL Configuration IP Pre Specify an IP Precedence value to be matched to be matched between 0 and 7. The default is No Limit. Time Range Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM > Time Range page. Logging Enable Logging function for the ACL rule. Then the times that the rule is matched will be logged every 5 minutes and a related trap will be generated. You can refer to Total Matched Counter in the ACL Rules Table to view the matching times. 2) In the Policy section, enable or disable the Mirroring feature for the matched packets. With this option enabled, choose a destination port to which the packets will be mirrored. Figure 2-11 Configuring Mirroring 3) In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected. Figure 2-12 Configuring Redirect Note: In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded only on the destination port. 4) In the Policy section, enable or disable the Rate Limit feature for the matched packets. With this option enabled, configure the related parameters. Configuration Guide 9 Configuring ACL Figure 2-13 ACL Configuration Configuring Rate Limit Rate Specify the transmission rate for the matched packets. Burst Size Specify the maximum number of bytes allowed in one second. Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally. Drop: The packets will be discarded. Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets will be changed to the specified one. T1500 series, T1600G-18TS, T1600G-28TS and T1600G-28PS do not support this option. 5) In the Policy section, enable or disable the QoS Remark feature for the matched packets. With this option enabled, configure the related parameters, and the remarked values will take effect in the QoS processing on the switch. Figure 2-14 Configuring QoS Remark DSCP Specify the DSCP field for the matched packets. The DSCP field of the packets will be changed to the specified one. Local Priority Specify the local priority for the matched packets. The local priority of the packets will be changed to the specified one. 802.1p Priority Specify the 802.1p priority for the matched packets. The 802.1p priority of the packets will be changed to the specified one. 6) Click Apply. Configuring Combined ACL Rule Click Edit ACL for a Combined ACL entry to load the following page. Configuration Guide 10 Configuring ACL Figure 2-15 ACL Configuration Configuring the Combined ACL Rule In ACL Rules Table section, click and the following page will appear. Configuration Guide 11 Configuring ACL Figure 2-16 ACL Configuration Configuring the Combined ACL Rule Follow these steps to configure the Combined ACL rule: 1) In the Combined ACL Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL. If you select Auto Assign, the rule ID will be assigned automatically and the interval between rule IDs is 5. Configuration Guide 12 Configuring ACL Operation ACL Configuration Select an action to be taken when a packet matches the rule. Permit: To forward the matched packets. Deny: To discard the matched packets. Fragment With this option selected, the rule will be applied to all fragment packets except for the last fragment packet in the fragment packet group. T1500 series, T1600G-28TS and T1600G-28PS do not support this option. S-MAC/Mask Enter the source MAC address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. D-MAC/Mask Enter the destination IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. VLAN ID Enter the ID number of the VLAN to which the ACL will apply. EtherType Specify the EtherType to be matched using 4 hexadecimal numbers. S-IP/Mask Enter the source IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. D-IP/Mask Enter the destination IP address with a mask. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. IP Protocol Select a protocol type from the drop-down list. The default is No Limit, which indicates that packets of all protocols will be matched. You can also select Userdefined to customize the IP protocol. TCP Flag If TCP protocol is selected, you can configure the TCP Flag to be used for the rule’s matching operations. There are six flags and each has three options, which are *, 0 and 1. The default is *, which indicates that the flag is not used for matching operations. URG: Urgent flag. ACK: Acknowledge flag. PSH: Push flag. RST: Reset flag. SYN: Synchronize flag. FIN: Finish flag. S-Port / D-Port If TCP/UDP is selected as the IP protocol, specify the source and destination port number with a mask. Value: Specify the port number. Mask: Specify the port mask with 4 hexadacimal numbers. DSCP Specify a DSCP value to be matched between 0 and 63. The default is No Limit. Configuration Guide 13 Configuring ACL ACL Configuration IP ToS Specify an IP ToS value to be matched between 0 and 15. The default is No Limit. IP Pre Specify an IP Precedence value to be matched to be matched between 0 and 7. The default is No Limit. User Priority Specify the User Priority to be matched. Time Range Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM > Time Range page. Logging Enable Logging function for the ACL rule. Then the times that the rule is matched will be logged every 5 minutes and a related trap will be generated. You can refer to Total Matched Counter in the ACL Rules Table to view the matching times. 2) In the Policy section, enable or disable the Mirroring feature for the matched packets. With this option enabled, choose a destination port to which the packets will be mirrored. Figure 2-17 Configuring Mirroring 3) In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected. Figure 2-18 Configuring Redirect Note: In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded only on the destination port. Configuration Guide 14 Configuring ACL ACL Configuration 4) In the Policy section, enable or disable the Rate Limit feature for the matched packets. With this option enabled, configure the related parameters. Figure 2-19 Configuring Rate Limit Rate Specify the transmission rate for the matched packets. Burst Size Specify the maximum number of bytes allowed in one second. Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally. Drop: The packets will be discarded. Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets will be changed to the specified one. T1500 series, T1600G-18TS, T1600G-28TS and T1600G-28PS do not support this option. 5) In the Policy section, enable or disable the QoS Remark feature for the matched packets. With this option enabled, configure the related parameters, and the remarked values will take effect in the QoS processing on the switch. Figure 2-20 Configuring QoS Remark DSCP Specify the DSCP field for the matched packets. The DSCP field of the packets will be changed to the specified one. Local Priority Specify the local priority for the matched packets. The local priority of the packets will be changed to the specified one. 802.1p Priority Specify the 802.1p priority for the matched packets. The 802.1p priority of the packets will be changed to the specified one. 6) Click Apply. Configuring the IPv6 ACL Rule Click Edit ACL for an IPv6 ACL entry to load the following page. Configuration Guide 15 Configuring ACL Figure 2-21 ACL Configuration Configuring the IPv6 ACL Rule In ACL Rules Table section, click Figure 2-22 and the following page will appear. Configuring the IPv6 ACL Rule Follow these steps to configure the IPv6 ACL rule: 1) In the IPv6 ACL Rule section, configure the following parameters: Configuration Guide 16 Configuring ACL Rule ID ACL Configuration Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL. If you select Auto Assign, the rule ID will be assigned automatically and the interval between rule IDs is 5. Operation Select an action to be taken when a packet matches the rule. Permit: To forward the matched packets. Deny: To discard the matched packets. IPv6 Class Specify an IPv6 class value to be matched. The switch will check the class field of the IPv6 header. Flow Label Specify a Flow Label value to be matched. IPv6 Source IP Enter the source IPv6 address to be matched. All types of IPv6 address will be checked. You may enter a complete 128-bit IPv6 address but only the first 64 bits will be valid. Mask The mask is required if the source IPv6 address is entered. Enter the mask in complete format (for example, FFFF:FFFF:0000:FFFF). The IP address mask specifies which bits in the source IPv6 address to match the rule. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. IPv6 Destination IP Enter the destination IPv6 address to be matched. All types of IPv6 address will be checked. You may enter a complete 128-bit IPv6 address but only the first 64 bits will be valid. Mask The mask is required if the destination IPv6 address is entered. Enter the complete mask (for example, FFFF:FFFF:0000:FFFF). The IP address mask specifies which bits in the source IP address to match the rule. A value of 1 in the mask indicates that the corresponding bit in the address will be matched. IP Protocol Select a protocol type from the drop-down list. No Limit: Packets of all protocols will be matched. UDP: Specify the source port and destination port for the UDP packet to be matched. TCP: Specify the source port and destination port for the TCP packet to be matched. User-defined: You can customize an IP protocol. S-Port / D-Port If TCP/UDP is selected as the IP protocol, specify the source and destination port numbers. Configuration Guide 17 Configuring ACL ACL Configuration Time Range Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM > Time Range page. 2) In the Policy section, enable or disable the Mirroring feature for the matched packets. With this option enabled, choose a destination port to which the packets will be mirrored. Figure 2-23 Configuring Mirroring 3) In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected. Figure 2-24 Configuring Redirect Note: In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded only on the destination port. 4) In the Policy section, enable or disable the Rate Limit feature for the matched packets. With this option enabled, configure the related parameters. Figure 2-25 Configuring Rate Limit Configuration Guide 18 Configuring ACL ACL Configuration Rate Specify the transmission rate for the matched packets. Burst Size Specify the maximum number of bytes allowed in one second. Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally. Drop: The packets will be discarded. Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets will be changed to the specified one. T1500 series, T1600G-18TS, T1600G-28TS and T1600G-28PS. 5) In the Policy section, enable or disable the QoS Remark feature for the matched packets. With this option enabled, configure the related parameters, and the remarked values will take effect in the QoS processing on the switch. Figure 2-26 Configuring QoS Remark DSCP Specify the DSCP field for the matched packets. The DSCP field of the packets will be changed to the specified one. Local Priority Specify the local priority for the matched packets. The local priority of the packets will be changed to the specified one. 802.1p Priority Specify the 802.1p priority for the matched packets. The 802.1p priority of the packets will be changed to the specified one. 6) Click Apply. Configuring the Packet Content ACL Rule Only T2600G series support this feature. Click Edit ACL for a Packet Content ACL entry to load the following page. Configuration Guide 19 Configuring ACL Figure 2-27 ACL Configuration Configuring the Packet Content ACL Rule In the Packet Content Offset Profile Global Config section, configure the Chunk Offset. Click Apply. Chunk0 Offset/ Chunk1 Offset/ Chunk2 Offset/ Chunk3 Offset Enter the offset of a chunk. Packet Content ACL analyzes and processes data packets based on 4 chunk match conditions, and each chunk can specify a userdefined 4-byte segment carried in the packet’s first 128 bytes. Offset 31 matches the 127, 128, 1, 2 bytes of the packet, offset 0 matches the 3,4,5,6 bytes of the packet, and so on, for the rest of the offset value. Note: All 4 chunks must be set at the same time. In ACL Rules Table section, click and the following page will appear. Configuration Guide 20 Configuring ACL Figure 2-28 ACL Configuration Configuring the Packet Content ACL Rule Follow these steps to configure the Packet Content ACL rule: 1) In the Packet Content Rule section, configure the following parameters: Rule ID Enter an ID number to identify the rule. It should not be the same as any current rule ID in the same ACL. If you select Auto Assign, the rule ID will be assigned automatically and the interval between rule IDs is 5. Operation Select an action to be taken when a packet matches the rule. Permit: To forward the matched packets. Deny: To discard the matched packets. Chunk0-Chunk3 Specify the EtherType to be matched using 4 hexadecimal numbers. Configuration Guide 21 Configuring ACL ACL Configuration Chunk Value Enter the 4-byte value in hexadecimal for the desired chunk, like ‘0000ffff’. The Packet Content ACL will check this chunk of packets to examine if the packets match the rule or not. Chunk Mask Enter the 4-byte mask in hexadecimal for the desired chunk. The mask must be written completely in 4-byte hex mode, like ‘0000ffff’. The mask specifies which bits to match the rule. Time Range Select a time range during which the rule will take effect. The default value is No Limit, which means the rule is always in effect. The Time Range referenced here can be created on the SYSTEM > Time Range page. Logging Enable Logging function for the ACL rule. Then the times that the rule is matched will be logged every 5 minutes and a related trap will be generated. You can refer to Total Matched Counter in the ACL Rules Table to view the matching times. 2) In the Policy section, enable or disable the Mirroring feature for the matched packets. With this option enabled, choose a destination port to which the packets will be mirrored. Figure 2-29 Configuring Mirroring 3) In the Policy section, enable or disable the Redirect feature for the matched packets. With this option enabled, choose a destination port to which the packets will be redirected. Figure 2-30 Configuring Redirect Configuration Guide 22 Configuring ACL ACL Configuration Note: In the Mirroring feature, the matched packets will be copied to the destination port and the original forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded only on the destination port. 4) In the Policy section, enable or disable the Rate Limit feature for the matched packets. With this option enabled, configure the related parameters. Figure 2-31 Configuring Rate Limit Rate Specify the transmission rate for the matched packets. Burst Size Specify the maximum number of bytes allowed in one second. Out of Band Select the action for the packets whose rate is beyond the specified rate. None: The packets will be forwarded normally. Drop: The packets will be discarded. Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets will be changed to the specified one. T1500 series, T1600G-18TS, T1600G-28TS and T1600G-28PS do not support this option. 5) In the Policy section, enable or disable the QoS Remark feature for the matched packets. With this option enabled, configure the related parameters, and the remarked values will take effect in the QoS processing on the switch. Figure 2-32 Configuring QoS Remark DSCP Specify the DSCP field for the matched packets. The DSCP field of the packets will be changed to the specified one. Local Priority Specify the local priority for the matched packets. The local priority of the packets will be changed to the specified one. 802.1p Priority Specify the 802.1p priority for the matched packets. The 802.1p priority of the packets will be changed to the specified one. 6) Click Apply. Configuration Guide 23 Configuring ACL ACL Configuration Viewing the ACL Rules The rules in an ACL are listed in ascending order of their rule IDs. The switch matches a received packet with the rules in order. When a packet matches a rule, the switch stops the match process and performs the action defined in the rule. Click Edit ACL for an entry you have created and you can view the rule table. We take IP ACL rules table for example. Figure 2-33 Viewing ACL Rules Table Here you can view and edit the ACL rules. You can also click Resequence to resequence the rules by providing a Start Rule ID and Step value. 2.1.4 Configuring ACL Binding You can bind the ACL to a port or a VLAN. The received packets on the port or in the VLAN will then be matched and processed according to the ACL rules. An ACL takes effect only after it is bound to a port or VLAN. Note: • Different types of ACLs cannot be bound to the same port or VLAN. • Multiple ACLs of the same type can be bound to the same port or VLAN. The switch matches the received packets using the ACLs in order. The ACL that is bound earlier has a higher priority. Binding the ACL to a Port Choose the menu SECURITY > ACL > ACL Binding > Port Binding and click the following page. to load Configuration Guide 24 Configuring ACL Figure 2-34 ACL Configuration Binding the ACL to a Port Follow these steps to bind the ACL to a Port: 1) Choose ID or Name to be used for matching the ACL. Then select an ACL from the drop-down list. 2) Specify the port to be bound. 3) Click Create. Binding the ACL to a VLAN Choose the menu SECURITY > ACL > ACL Binding > VLAN Binding to load the following page. Figure 2-35 Binding the ACL to a VLAN Follow these steps to bind the ACL to a VLAN: 1) Choose ID or Name to be used for matching the ACL. Then select an ACL from the drop-down list. 2) Enter the ID of the VLAN to be bound. 3) Click Create. Configuration Guide 25 Configuring ACL 2.2 ACL Configuration Using the CLI 2.2.1 Configuring Time Range Some ACL-based services or features may need to be limited to take effect only during a specified time period. In this case, you can configure a time range for the ACL. For details about Time Range Configuration, please refer to Managing System. 2.2.2 Configuring ACL Follow the steps to create different types of ACL and configure the ACL rules. You can define the rules based on source or destination IP address, source or destination MAC address, protocol type, port number and others. MAC ACL Follow these steps to configure MAC ACL: Step 1 configure Step 2 access-list create acl-id [name acl-name ] Enter global configuration mode. Create a MAC ACL. acl-id: Enter an ACL ID. The ID ranges from 0 to 499. acl-name: Enter a name to identify the ACL. Configuration Guide 26 Configuring ACL Step 3 ACL Configuration access-list mac acl-id-or-name rule { auto | rule-id } { deny | permit } logging {enable | disable} [ smac source-mac smask source-mac-mask ] [dmac destination-mac dmask destination-macmask ] [type ether-type] [pri dot1p-priority ] [vid vlan-id ] [tseg time-range-name ] Add a MAC ACL Rule. acl-id-or-name : Enter the ID or name of the ACL that you want to add a rule for. auto: The rule ID will be assigned automatically and the interval between rule IDs is 5. rule-id : Assign an ID to the rule. deny | permit: Specify the action to be taken with the packets that match the rule. By default, it is set to permit. The packets will be discarded if “deny” is selected and forwarded if “permit” is selected. logging {enable | disable}: Enable or disable Logging function for the ACL rule. If "enable" is selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter trap enabled, a related trap will be generated if the matching times changes. source-mac : Enter the source MAC address. The format is FF:FF:FF:FF:FF:FF. source-mac-mask : Enter the mask of the source MAC address. This is required if a source MAC address is entered. The format is FF:FF:FF:FF:FF:FF. destination-mac : Enter the destination MAC address. The format is FF:FF:FF:FF:FF:FF. destination-mac-mask : Enter the mask of the destination MAC address. This is required if a destination MAC address is entered. The format is FF:FF:FF:FF:FF:FF. ether-type: Specify an Ethernet-type with 4 hexadecimal numbers. dot1p-priority : The user priority ranges from 0 to 7. The default is No Limit. vlan-id : The VLAN ID ranges from 1 to 4094. time-range-name : The name of the time-range. The default is No Limit. Step 4 exit Step 5 show access-list [ acl-id-or-name ] Return to global configuration mode. Display the current ACL configuration. acl-id-or-name : The ID number or name of the ACL. Step 6 end Step 7 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file. The following example shows how to create MAC ACL 50 and configure Rule 5 to permit packets with source MAC address 00:34:A2:D4:34:B5: Switch#configure Configuration Guide 27 Configuring ACL ACL Configuration Switch(config)#access-list create 50 Switch(config-mac-acl)#access-list mac 50 rule 5 permit logging disable smac 00:34:A2:D4:34:B5 smask FF:FF:FF:FF:FF:FF Switch(config-mac-acl)#exit Switch(config)#show access-list 50 MAC access list 50 name: ACL_50 rule 5 permit logging disable smac 00:34:a2:d4:34:b5 smask ff:ff:ff:ff:ff:ff Switch(config)#end Switch#copy running-config startup-config IP ACL Follow these steps to configure IP ACL: Step 1 configure Step 2 access-list create acl-id [name acl-name ] Enter global configuration mode. Create an IP ACL. acl-id: Enter an ACL ID. The ID ranges from 500 to 999. acl-name: Enter a name to identify the ACL. Configuration Guide 28 Configuring ACL Step 3 ACL Configuration access-list ip acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [sip sip-address sip-mask sip-address-mask ] [ dip dip-address dip-mask dip-address-mask ] [dscp dscp-value ] [tos tos-value ] [pre pre-value ] [frag {enable | disable}] [protocol protocol [s-port s-port-number s-port-mask s-port-mask] [d-port d-port-number d-port-mask d-port-mask] [tcpflag tcpflag ]] [tseg time-range-name] Add rules to the ACL. acl-id-or-name : Enter the ID or name of the ACL that you want to add a rule for. auto: The rule ID will be assigned automatically and the interval between rule IDs is 5. rule-id : Assign an ID to the rule. deny | permit: Specify the action to be taken with the packets that match the rule. Deny means to discard; permit means to forward. By default, it is set to permit. logging {enable | disable}: Enable or disable Logging function for the ACL rule. If "enable" is selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter trap enabled, a related trap will be generated if the matching times changes. sip-address: Enter the source IP address. sip-address-mask: Enter the mask of the source IP address. This is required if a source IP address is entered. dip-address: Enter the destination IP address. dip-address-mask: Enter the mask of the destination IP address. This is required if a destination IP address is entered. dscp-value: Specify the DSCP value between 0 and 63. tos-value: Specify an IP ToS value to be matched between 0 and 15. pre-value: Specify an IP Precedence value to be matched between 0 and 7. frag {enable | disable}: Enable or disable matching of fragmented packets. The default is disable. When enabled, the rule will apply to all fragmented packets and always permit to forward the last fragment of a packet. T1500 series, T1600G-18TS, T1600G-28TS and T1600G-28PS do not support this option. protocol: Specify a protocol number between 0 and 255. s-port-number: With TCP or UDP configured as the protocol, specify the source port number. s-port-mask: With TCP or UDP configured as the protocol, specify the source port mask with 4 hexadacimal numbers. d-port-number: With TCP or UDP configured as the protocol, specify the destination port number. d-port-mask: With TCP or UDP configured as the protocol, specify the destination port mask with 4 hexadacimal numbers. tcpflag: With TCP configured as the protocol, specify the flag value using either binary numbers or * (for example, 01*010*). The default is *, which indicates that the flag will not be matched. The flags are URG (Urgent flag), ACK (Acknowledge Flag), PSH (Push Flag), RST (Reset Flag), SYN (Synchronize Flag) and FIN (Finish Flag). time-range-name: The name of the time-range. The default is No Limit. Configuration Guide 29 Configuring ACL ACL Configuration Step 4 end Step 5 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file. The following example shows how to create IP ACL 600, and configure Rule 1 to permit packets with source IP address 192.168.1.100: Switch#configure Switch(config)#access-list create 600 Switch(config)#access-list ip 600 rule 1 permit logging disable sip 192.168.1.100 sipmask 255.255.255.255 Switch(config)#show access-list 600 IP access list 600 name: ACL_600 rule 1 permit logging disable sip 192.168.1.100 smask 255.255.255.255 Switch(config)#end Switch#copy running-config startup-config Combined ACL Follow these steps to configure Combined ACL: Step 1 configure Step 2 access-list create acl-id [name acl-name ] Enter global configuration mode Create a Combined ACL. acl-id: Enter an ACL ID. The ID ranges from 1000 to 1499. acl-name: Enter a name to identify the ACL. Configuration Guide 30 Configuring ACL Step 3 ACL Configuration access-list combined acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [smac source-mac-address smask source-mac-mask ] [dmac dest-mac-address dmask dest-mac-mask ] [vid vlan-id ] [type ether-type ] [pri priority ] [sip sip-address sip-mask sipaddress-mask ] [dip dip-address dip-mask dip-address-mask ] [dscp dscp-value ] [tos tos-value] [pre pre-value] [frag {enable | disable}] [protocol protocol [s-port s-port-number s-port-mask s-port-mask ] [d-port d-port-number d-port-mask d-port-mask] [tcpflag tcpflag ]] [tseg timerange-name ] Add rules to the ACL. acl-id-or-name : Enter the ID or name of the ACL that you want to add a rule for. auto: The rule ID will be assigned automatically and the interval between rule IDs is 5. rule-id : Assign an ID to the rule. deny | permit: Specify the action to be taken with the packets that match the rule. Deny means to discard; permit means to forward. By default, it is set to permit. logging {enable | disable}: Enable or disable Logging function for the ACL rule. If "enable" is selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter trap enabled, a related trap will be generated if the matching times changes. source-mac-address : Enter the source MAC address. source-mac-mask : Enter the source MAC address mask. dest-mac-address : Enter the destination MAC address. dest-mac-mask : Enter the destination MAC address mask. This is required if a destination MAC address is entered. vlan-id : The VLAN ID ranges from 1 to 4094. ether-type : Specify the Ethernet-type with 4 hexadecimal numbers. priority : The user priority ranges from 0 to 7. The default is No Limit. sip-address : Enter the source IP address. sip-address-mask : Enter the mask of the source IP address. It is required if source IP address is entered. dip-address : This is required if a source IP address is entered. dip-address-mask : Enter the destination IP address mask. This is required if a destination IP address is entered. dscp-value: Specify the DSCP value between 0 and 63. tos-value: Specify an IP ToS value to be matched between 0 and 15. pre-value: Specify an IP Precedence value to be matched between 0 and 7. Configuration Guide 31 Configuring ACL ACL Configuration frag {enable | disable}: Enable or disable matching of fragmented packets. The default is disable. When enabled, the rule will apply to all fragmented packets and always permit to forward the last fragment of a packet. protocol: Specify a protocol number between 0 and 255. s-port-number: With TCP or UDP configured as the protocol, specify the source port number. s-port-mask: With TCP or UDP configured as the protocol, specify the source port mask with 4 hexadacimal numbers. d-port-number: With TCP or UDP configured as the protocol, specify the destination port number. d-port-mask: With TCP or UDP configured as the protocol, specify the destination port mask with 4 hexadacimal numbers. tcpflag: With TCP configured as the protocol, specify the flag value using either binary numbers or * (for example, 01*010*). The default is *, which indicates that the flag will not be matched. The flags are URG (Urgent flag), ACK (Acknowledge Flag), PSH (Push Flag), RST (Reset Flag), SYN (Synchronize Flag), and FIN (Finish Flag). time-range-name : The name of the time-range. The default is No Limit. Step 4 end Step 5 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file. The following example shows how to create Combined ACL 1100 and configure Rule 1 to deny packets with source IP address 192.168.3.100 in VLAN 2: Switch#configure Switch(config)#access-list create 1100 Switch(config)#access-list combined 1100 logging disable rule 1 permit vid 2 sip 192.168.3.100 sip‑mask 255.255.255.255 Switch(config)#show access-list 2600 Combined access list 2600 name: ACL_2600 rule 1 permit logging disable vid 2 sip 192.168.3.100 sip-mask 255.255.255.255 Switch(config)#end Switch#copy running-config startup-config IPv6 ACL Follow these steps to configure IPv6 ACL: Step 1 configure Enter global configuration mode Configuration Guide 32 Configuring ACL Step 2 ACL Configuration access-list create acl-id [name acl-name ] Create an IPv6 ACL. acl-id: Enter an ACL ID. The ID ranges from 1500 to 1999. acl-name: Enter a name to identify the ACL. Step 3 access-list ipv6 acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [class class-value] [flow-label flow-label-value ] [sip source-ip-address sip-mask source-ip-mask ] [dip destination-ip-address dip-mask destination-ip-mask ] [s-port source-port-number ] [d-port destination-port-number ] [tseg time-range-name] Add rules to the ACL. acl-id-or-name : Enter the ID or name of the ACL that you want to add a rule for. auto: The rule ID will be assigned automatically and the interval between rule IDs is 5. rule-id : Assign an ID to the rule. deny | permit: Specify the action to be taken with the packets that match the rule. Deny means to discard; permit means to forward. By default, it is set to permit. logging {enable | disable}: Enable or disable Logging function for the ACL rule. If "enable" is selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter trap enabled, a related trap will be generated if the matching times changes. class-value : Specify a class value to be matched. It ranges from 0 to 63. flow-label-value : Specify a Flow Label value to be matched. source-ip-address: Enter the source IP address. Enter the destination IPv6 address to be matched. All types of IPv6 address will be checked. You may enter a complete 128-bit IPv6 address but only the first 64 bits will be valid. source-ip-mask: Enter the source IP address mask. The mask is required if the source IPv6 address is entered. Enter the mask in complete format (for example, ffff:ffff:0000:ffff). The mask specifies which bits in the source IPv6 address to match the rule. destination-ip-address : Enter the destination IPv6 address to be matched. All types of IPv6 address will be checked. You may enter a complete 128-bit IPv6 addresses but only the first 64 bits will be valid. destination-ip-mask: Enter the source IP address mask. The mask is required if the source IPv6 address is entered. Enter the mask in complete format (for example, ffff:ffff:0000:ffff). The mask specifies which bits in the source IPv6 address to match the rule. source-port-number : Enter the TCP/UDP source port if TCP/UDP protocol is selected. destination-port-number : Enter the TCP/UDP destination port if TCP/UDP protocol is selected. time-range-name : The name of the time-range. The default is No Limit. Step 4 end Step 5 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file. Configuration Guide 33 Configuring ACL ACL Configuration The following example shows how to create IPv6 ACL 1600 and configure Rule 1 to deny packets with source IPv6 address CDCD:910A:2222:5498:8475:1111:3900:2020: Switch#configure Switch(config)#access-list create 1600 Switch(config)#access-list ipv6 1600 rule 1 deny logging disable sip CDCD:910A:2222:5498:8475:1111:3900:2020 sip-mask ffff:ffff:ffff:ffff Switch(config)#show access-list 1600 IPv6 access list 1600 name: ACL_1600 rule 1 deny logging disable sip cdcd:910a:2222:5498:8475:1111:3900:2020 sip-mask ffff:ff ff:ffff:ffff Switch(config)#end Switch#copy running-config startup-config Packet Content ACL Only T2600G series support this feature. Follow these steps to configure Packet Content ACL: Step 1 configure Step 2 access-list create acl-id [name acl-name ] Enter global configuration mode Create a Packet Content ACL. acl-id: Enter an ACL ID. The ID ranges from 2000 to 2499. acl-name: Enter a name to identify the ACL. Step 3 access-list packet-content profile chunk-offset0 offset0 chunk-offset1 offset1 chunk-offset2 offset2 chunk-offset3 offset3 Specify the offset of each chunk, all the 4 chunks must be set at the same time. offset0 -offset3 : Specify the offset of each chunk, the value ranges from 0 to 31. When the offset is set as 31, it matches the first 127,128, 1, 2 bytes of the packet; when the offset is set as 0, it matches the 3, 4, 5, 6 bytes, and so on, for the rest of the offset value. Configuration Guide 34 Configuring ACL Step 4 ACL Configuration access-list packet-content config acl-id-or-name rule { auto | rule-id } {deny | permit} logging { enable | disable } [chunk0 value mask0 mask ] [chunk1 value mask1 mask ] [chunk2 value mask2 mask ] [chunk3 value mask3 mask ] [tseg time-range-name] Add rules to the ACL. acl-id-or-name : Enter the ID or name of the ACL that you want to add a rule for. auto: The rule ID will be assigned automatically and the interval between rule IDs is 5. rule-id : Assign an ID to the rule. deny | permit: Specify the action to be taken with the packets that match the rule. Deny means to discard; permit means to forward. By default, it is set to permit. logging { enable | disable} : Enable or disable Logging function for the ACL rule. If "enable" is selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter trap enabled, a related trap will be generated if the matching times changes. value : Enter the 4-byte value in hexadecimal for the desired chunk, like ‘0000ffff’. The Packet Content ACL will check this chunk of packets to examine if the packets match the rule or not. mask: Enter the 4-byte mask in hexadecimal for the desired chunk. The mask must be written completely in 4-byte hex mode, like ‘0000ffff’. The mask specifies which bits to match the rule. time-range-name : The name of the time-range. The default is No Limit. Step 5 end Step 6 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file. The following example shows how to create Packet Content ACL 2000, and deny the packets with the value of its chunk1 0x58: Switch#configure Switch(config)#access-list create 2000 Switch(config)#access-list packet-content profile chunk-offset0 offset0 chunk-offset1 offset1 chunk-offset2 offset2 chunk-offset3 offset3 Switch(config)#packet-content config 2000 rule 10 deny logging disable chunk1 58 mask1 ffffffff Switch(config)#show access-list 2000 Packet content access list 2000 name: ACL_2000 rule 10 deny logging disable chunk1 value 0x58 mask 0xffffffff Switch(config)#end Switch#copy running-config startup-config Configuration Guide 35 Configuring ACL ACL Configuration Resequencing Rules You can resequence the rules by providing a Start Rule ID and Step value. Step 1 configure Step 2 access-list resequence acl-id-or-name start start-rule-id step rule-id-step-value Enter global configuration mode. Resequence the rules of the specific ACL. acl-id-or-name : Enter the ID or name of the ACL. start-rule-id : Enter the start rule ID. rule-id-step-value : Enter the Step value. Step 3 end Step 4 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file. The following example shows how to resequence the rules of MAC ACL 100: set the start rule ID as 1 and the step value as 10: Switch#configure Switch(config)#access-list resequence 100 start 1 step 10 Switch(config)#show access-list 100 MAC access list 100 name: “ACL_100” rule 1 deny logging disable smac aa:bb:cc:dd:ee:ff smask ff:ff:ff:ff:ff:ff rule 11 permit logging disable vid 18 rule 21 permit logging disable dmac aa:cc:ee:ff:dd:33 dmask ff:ff:ff:ff:ff:ff Switch(config)#end Switch#copy running-config startup-config 2.2.3 Configuring Policy Policy allows you to further process the matched packets through operations such as mirroring, rate-limiting, redirecting, or changing priority. Follow the steps below to configure the policy actions for an ACL rule. Step 1 configure Enter global configuration mode. Configuration Guide 36 Configuring ACL Step 2 ACL Configuration access-list action acl-id-or-name rule rule-id Configure the policy actions for an ACL rule. acl-id-or-name : Enter the ID or name of the ACL. rule-id : Enter the ID of the ACL rule. Step 3 redirect interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } (Optional) Define the policy to redirect the matched packets to the desired port. port : The destination port to which the packets will be redirected. The default is All. s-mirror interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port } (Optional) Define the policy to mirror the matched packets to the desired port. port : The destination port to which the packets will be mirrored. s-condition rate rate burst burst-size osd { none | discard | remark dscp dscp } (Optional) Define the policy to monitor the rate of the matched packets. rate : Specify a rate from 1 to 1000000 kbps. burst-size : Specify the number of bytes allowed in one second ranging from 1 to 128. osd: Select either “none”, “discard” or “remark dscp” as the action to be taken for the packets whose rate is beyond the specified rate. The default is None. When “remark dscp” is selected, you also need to specify the DSCP value for the matched packets. The DSCP value ranges from 0 to 63. T1500 series, T1600G-18TS, T1600G-28TS and T1600G-28PS do not support DSCP option. qos-remark [dscp dscp ] [ priority pri ] [ dot1p pri ] (Optional) Define the policy to remark priority for the matched packets. dscp : Specify the DSCP region for the data packets. The value ranges from 0 to 63. priority pri : Specify the local priority for the data packets. The value ranges from 0 to 7. dot1p pri: Specify the 802.1p priority for the data packets. The value ranges from 0 to 7. Step 4 end Step 5 copy running-config startup-config Return to privileged EXEC mode. Save the settings in the configuration file. Redirect the matched packets to port 1/0/4 for rule 1 of MAC ACL 10: Switch#configure Switch(config)#access-list action 10 rule 1 Configuration Guide 37 Configuring ACL ACL Configuration Switch(config-action)#redirect interface gigabitEthernet 1/0/4 Switch(config-action)#exit Switch(config)#show access-list 10 MAC access list 10 name: ACL_10 rule 5 permit logging disable action redirect Gi1/0/4 Switch(config)#end Switch#copy running-config startup-config 2.2.4 Configuring ACL Binding You can bind the ACL to a port or a VLAN. The received packets on the port or in the VLAN will then be matched and processed according to the ACL rules. An ACL takes effect only after it is bound to a port or VLAN. Note: • Different types of ACLs cannot be bound to the same port or VLAN. • Multiple ACLs of the same type can be bound to the same port or VLAN. The switch matches the received packets using the ACLs in order. The ACL that is bound earlier has a higher priority. Follow the steps below to bind ACL to a port or a VLAN: Step 1 configure Step 2 access-list bind acl-id-or-name interface { [ vlan vlan-list ] | [ fastEthernet port-list ] | [ gigabitEthernet port-list ] | [ ten-gigabitEthernet port-list ] } Enter global configuration mode Bind the ACL to a port or a VLAN. acl-id-or-name : Enter the ID or name of the ACL that you want to add a rule for. vlan-list : Specify the ID or the ID list of the VLAN(s) that you want to bind the ACL to. The valid values are from 1 to 4094, for example, 2-3,5. port-list : Specify the number or the list of the Ethernet port that you want to bind the ACL to. Step 3 show access-list bind Step 4 end Step 5 copy running-config startup-config View the ACL binding configuration. Return to privileged EXEC mode. Save the settings in the configuration file. The following example shows how to bind ACL 1 to port 3 and VLAN 4: Configuration Guide 38 Configuring ACL ACL Configuration Switch#configure Switch(config)#access-list bind 1 interface vlan 4 gigabitEthernet 1/0/3 SSwitch(config)#show access-list bind ACL ID ACL NAME Interface/VID Direction Type ----- ---------- ------------- ------- ---- 1 ACL_1 Gi1/0/3 Ingress Port 1 ACL_1 Ingress VLAN 4 Switch(config)#end Switch#copy running-config startup-config 2.2.5 Viewing ACL Counting You can use the following command to view the number of matched packets of each ACL in the privileged EXEC mode and any other configuration mode: show access-list acl-id-or-name counter View the number of matched packets of the specific ACL. acl-id-or-name: Specify the ID or name of the ACL to be viewed. Configuration Guide 39 Configuring ACL Configuration Example for ACL 3 Configuration Example for ACL 3.1 Network Requirements As shown below, a company’s internal server group can provide different types of services. Computers in the Marketing department are connected to the switch via port 1/0/1 , and the internal server group is connected to the switch via port 1/0/2. Figure 3-1 Network Topology Gi1/0/2 Gi1/0/1 Server Group IP: 10.10.80.0/24 Marketing IP: 10.10.70.0/24 It is required that: The Marketing department can only access internal server group in the intranet. The Marketing department can only visit http and https websites on the internet. 3.2 Configuration Scheme To meet the requirements above, you can set up packet filtering by creating an IP ACL and configuring rules for it. ACL Configuration Create an IP ACL and configure the following rules for it: Configuration Guide 40 Configuring ACL Configuration Example for ACL Configure a permit rule to match packets with source IP address 10.10.70.0/24, and destination IP address 10.10.80.0/24. This rule allows the Marketing department to access internal network servers from intranet. Configure four permit rules to match the packets with source IP address 10.10.70.0/24, and destination ports TCP 80, TCP 443 and TCP/UDP 53. These allow the Marketing department to visit http and https websites on the internet. Configure a deny rule to match the packets with source IP address 10.10.70.0/24. This rule blocks other network services. The switch matches the packets with the rules in order, starting with Rule 1. If a packet matches a rule, the switch stops the matching process and initiates the action defined in the rule. Binding Configuration Bind the IP ACL to port 1/0/1 so that the ACL rules will apply to the Marketing department only. Demonstrated with T2600G-28TS, the following sections explain the configuration procedure in two ways: using the GUI and using the CLI. 3.3 Using the GUI 1) Choose the menu SECURITY > ACL > ACL Config and click page. Then create an IP ACL for the marketing department. Figure 3-2 to load the following Creating an IP ACL 2) Click Edit ACL in the Operation column. Configuration Guide 41 Configuring ACL Figure 3-3 Configuration Example for ACL Editing IP ACL 3) On the ACL configuration page, click Figure 3-4 . Editing IP ACL 4) Configure rule 1 to permit packets with the source IP address 10.10.70.0/24 and destination IP address 10.10.80.0/24. Figure 3-5 Configuring Rule 1 Configuration Guide 42 Configuring ACL Configuration Example for ACL 5) In the same way, configure rule 2 and rule 3 to permit packets with source IP 10.10.70.0 and destination port TCP 80 (http service port) and TCP 443 (https service port). Figure 3-6 Configuring Rule 2 Configuration Guide 43 Configuring ACL Figure 3-7 Configuration Example for ACL Configuring Rule 3 Configuration Guide 44 Configuring ACL Configuration Example for ACL 6) In the same way, configure rule 4 and rule 5 to permit packets with source IP 10.10.70.0 and with destination port TCP 53 or UDP 53 (DNS service port). Figure 3-8 Configuring Rule 4 Configuration Guide 45 Configuring ACL Figure 3-9 Configuration Example for ACL Configuring Rule 5 7) In the same way, configure rule 6 to deny packets with source IP 10.10.70.0. Figure 3-10 Configuring Rule 6 Configuration Guide 46 Configuring ACL Configuration Example for ACL 8) Choose the menu SECURITY > ACL > ACL Binding and click following page. Bind Policy Market to port 1/0/1 to make it take effect. Figure 3-11 9) Click 3.4 to load the Binding the Policy to Port 1/0/1 to save the settings. Using the CLI 1) Create an IP ACL. Switch#configure Switch(config)#access-list create 500 name marketing 2) Configure rule 1 to permit packets with source IP 10.10.70.0/24 and destination IP 10.10.80.0/24. Switch(config)#access-list ip 500 rule 1 permit logging disable sip 10.10.70.0 sip-mask 255.255.255.0 dip 10.10.80.0 dmask 255.255.255.0 3) Configure rule 2 and Rule 3 to permit packets with source IP 10.10.70.0/24, and destination port TCP 80 (http service port) or TCP 443 (https service port). Switch(config)#access-list ip 500 rule 2 permit logging disable sip 10.10.70.0 sip-mask 255.255.255.0 protocol 6 d-port 80 d-port-mask ffff Switch(config)#access-list ip 500 rule 3 permit logging disable sip 10.10.70.0 sip-mask 255.255.255.0 protocol 6 d-port 443 d-port-mask ffff 4) Configure rule 4 and rule 5 to permit packets with source IP 10.10.70.0/24, and destination port TCP53 or UDP 53. Switch(config)#access-list ip 500 rule 4 permit logging disable sip 10.10.70.0 sip-mask 255.255.255.0 protocol 6 d-port 53 d-port-mask ffff Configuration Guide 47 Configuring ACL Configuration Example for ACL Switch(config)#access-list ip 500 rule 5 permit logging disable sip 10.10.70.0 sip-amask 255.255.255.0 protocol 17 d-port 53 d-port-mask ffff 5) Configure rule 6 to deny packets with source IP 10.10.70.0/24. Switch(config)#access-list ip 500 rule 2 deny logging disable sip 10.10.70.0 sip-mask 255.255.255.0 6) Bind ACL500 to port 1. Switch(config)#access-list bind 500 interface gigabitEthernet 1/0/1 Switch(config)#end Switch#copy running-config startup-config Verify the Configurations Verify the IP ACL 500: Switch#show access-list 500 rule 1 permit logging disable sip 10.10.70.0 smask 255.255.255.0 dip 10.10.80.0 dmask 255.255.255.0 rule 2 permit logging disable sip 10.10.70.0 smask 255.255.255.0 protocol 6 d-port 80 rule 3 permit logging disable sip 10.10.70.0 smask 255.255.255.0 protocol 6 d-port 443 rule 4 permit logging disable sip 10.10.70.0 smask 255.255.255.0 protocol 6 d-port 53 rule 5 permit logging disable sip 10.10.70.0 smask 255.255.255.0 protocol 17 d-port 53 rule 6 deny logging disable sip 10.10.70.0 smask 255.255.255.0 Switch#show access-list bind ACL ID ACL NAME Interface/VID Direction Type ------ -------- ------------- -------- 500 marketing Gi1/0/1 Ingress ---Port Configuration Guide 48 Configuring ACL 4 Appendix: Default Parameters Appendix: Default Parameters The default settings of ACL are listed in the following tables: Table 4-1 MAC ACL Parameter Default Setting Operation Permit User Priority No Limit Time-Range No Limit Table 4-2 IP ACL Parameter Default Setting Operation Permit IP Protocol All DSCP No Limit IP ToS No Limit IP Pre No Limit Time-Range No Limit Table 4-3 IPv6 ACL Parameter Default Setting Operation Permit Time-Range No Limit Table 4-4 Combined ACL Parameter Default Setting Operation Permit Time-Range No Limit Configuration Guide 49 Configuring ACL Table 4-5 Appendix: Default Parameters Packet Content ACL Parameter Default Setting Operation Permit Time-Range No Limit Table 4-6 Policy Parameter Default Setting Mirroring Disabled Redirect Disabled Rate Limit Disabled QoS Remark Disabled Configuration Guide 50
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : No XMP Toolkit : Adobe XMP Core 5.4-c005 78.147326, 2012/08/23-13:03:03 Create Date : 2018:03:01 18:59:19+08:00 Metadata Date : 2018:03:01 19:00:30+08:00 Modify Date : 2018:03:01 19:00:30+08:00 Creator Tool : Adobe InDesign CC 2015 (Windows) Instance ID : uuid:e5833def-ce10-4dbd-b8ab-152cd2bb2476 Original Document ID : xmp.did:73e61f8d-0acf-b64b-825e-637dfa91f942 Document ID : xmp.id:593e2fd0-437e-b445-b5f9-f32a73837d29 Rendition Class : proof:pdf Derived From Instance ID : xmp.iid:733f606a-0feb-0c4d-981b-61dfeaf2d95a Derived From Document ID : xmp.did:67894495-4ef7-8140-b4c7-685996004f49 Derived From Original Document ID: xmp.did:73e61f8d-0acf-b64b-825e-637dfa91f942 Derived From Rendition Class : default History Action : converted History Parameters : from application/x-indesign to application/pdf History Software Agent : Adobe InDesign CC 2015 (Windows) History Changed : / History When : 2018:03:01 18:59:19+08:00 Format : application/pdf Producer : Adobe PDF Library 15.0 Trapped : False Page Count : 51 Creator : Adobe InDesign CC 2015 (Windows)EXIF Metadata provided by EXIF.tools