Configuring Acl

2018-03-02

: Tp-Link Configuring Acl configuring_acl configurationguide

Open the PDF directly: View PDF PDF.
Page Count: 51

DownloadConfiguring Acl
Open PDF In BrowserView PDF
Configuring ACL
CHAPTERS
1. Overview

2. ACL Configuration

3. Configuration Example for ACL
4. Appendix: Default Parameters

Configuring ACL

Overview

This guide applies to:

T1500G-10PS v2 or above, T1500G-8T v2 or above, T1500G-10MPS v2 or above, T1500-28PCT v3 or above,
T1600G-52TS v3 or above, T1600G-52PS v3 or above, T1600G-28PS v3 or above, T1600G-28TS v3 or above,
T1600G-18TS v2 or above, T2600G-52TS v3 or above, T2600G-28TS v3 or above, T2600G-28MPS v3 or
above, T2600G-28SQ v1 or above.

1

Overview
ACL (Access Control List) filters traffic as it passes through a switch, and permits or denies
packets crossing specified interfaces or VLANs. It accurately identifies and processes
the packets based on the ACL rules. In this way, ACL helps to limit network traffic, manage
network access behaviors, forward packets to specified ports and more.
To configure ACL, follow these steps:

1) Configure a time range during which the ACL is in effect.

2) Create an ACL and configure the rules to filter different packets.
3) Bind the ACL to a port or VLAN to make it effective.

Configuration Guidelines
 A packet “matches” an ACL rule when it meets the rule’s matching criteria. The resulting
action will be either to “permit” or “deny” the packet that matches the rule.
 If no ACL rule is configured, the packets will be forwarded without being processed by
the ACL. If there is configured ACL rules and no matching rule is found, the packets will
be dropped.

Configuration Guide

1

Configuring ACL

ACL Configuration

2

ACL Configuration

2.1

Using the GUI

2.1.1 Configuring Time Range
Some ACL-based services or features may need to be limited to take effect only during a
specified time period. In this case, you can configure a time range for the ACL. For details
about Time Range configuration, please refer to Managing System.

2.1.2 Creating an ACL
You can create different types of ACL and define the rules based on source MAC or IP
address, destination MAC or IP address, protocol type, port number and so on.
MAC ACL: MAC ACL uses source and destination MAC address for matching operations.
IP ACL: IP ACL uses source and destination IP address, IP protocols and so on for matching
operations.
Combined ACL: Combined ACL uses source and destination MAC address, and source
and destination IP address for matching operations.
IPv6 ACL: IPv6 ACL uses source and destination IPv6 address for matching operations.
Packet Content ACL: Packet Content ACL analyzes and processes data packets based on
4 chunk match conditions, each chunk can specify a user-defined 4-byte segment carried
in the packet’s first 128 bytes. Only T2600G series support this feature.
Choose the menu SECURITY > ACL > ACL Config and click
page.
Figure 2-1

to load the following

Creating an ACL

Follow these steps to create an ACL:

1) Choose one ACL type and enter a number to identify the ACL.
Configuration Guide

2

Configuring ACL

ACL Configuration

2) (Optional) Assign a name to the ACL.
3) Click Create.
Note:

The supported ACL type and ID range varies on different switch models. Please refer to the on-screen
information.

2.1.3 Configuring ACL Rules
The created ACL will be displayed on the SECURITY > ACL > ACL Config page.
Figure 2-2

Editing ACL

Click Edit ACL in the Operation column. Then you can configure rules for this ACL.
The following sections introduce how to configure MAC ACL, IP ACL, Combined ACL, IPv6
ACL and Packet Content ACL.

Configuring MAC ACL Rule

Click Edit ACL for a MAC ACL entry to load the following page.
Figure 2-3

Configuring the MAC ACL Rule

In ACL Rules Table section, click

and the following page will appear.

Configuration Guide

3

Configuring ACL

Figure 2-4

ACL Configuration

Configuring the MAC ACL Rule

Follow these steps to configure the MAC ACL rule:

1) In the MAC ACL Rule section, configure the following parameters:
Rule ID

Enter an ID number to identify the rule.
It should not be the same as any current rule ID in the same ACL. If you select
Auto Assign, the rule ID will be assigned automatically and the interval between
rule IDs is 5.

Operation

Select an action to be taken when a packet matches the rule.
Permit: To forward the matched packets.
Deny: To discard the matched packets.

S-MAC/Mask

Enter the source MAC address with a mask. A value of 1 in the mask indicates
that the corresponding bit in the address will be matched.

D-MAC/Mask

Enter the destination MAC address with a mask. A value of 1 in the mask indicates
that the corresponding bit in the address will be matched.

VLAN ID

Enter the ID number of the VLAN to which the ACL will apply.

Configuration Guide

4

Configuring ACL

ACL Configuration

EtherType

Specify the EtherType to be matched using 4 hexadecimal numbers.

User Priority

Specify the User Priority to be matched.

Time Range

Select a time range during which the rule will take effect. The default value is No
Limit, which means the rule is always in effect. The Time Range referenced here
can be created on the SYSTEM > Time Range page.

Logging

Enable Logging function for the ACL rule. Then the times that the rule is matched
will be logged every 5 minutes and a related trap will be generated. You can refer
to Total Matched Counter in the ACL Rules Table to view the matching times.

2) In the Policy section, enable or disable the Mirroring feature for the matched packets.
With this option enabled, choose a destination port to which the packets will be
mirrored.
Figure 2-5

Configuring Mirroring

3) In the Policy section, enable or disable the Redirect feature for the matched packets.
With this option enabled, choose a destination port to which the packets will be
redirected.
Figure 2-6

Configuring Redirect

Note:

In the Mirroring feature, the matched packets will be copied to the destination port and the original
forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded
only on the destination port.

4) In the Policy section, enable or disable the Rate Limit feature for the matched packets.
With this option enabled, configure the related parameters.
Configuration Guide

5

Configuring ACL

Figure 2-7

ACL Configuration

Configuring Rate Limit

Rate

Specify the transmission rate for the matched packets.

Burst Size

Specify the maximum number of bytes allowed in one second.

Out of Band

Select the action for the packets whose rate is beyond the specified rate.
None: The packets will be forwarded normally.
Drop: The packets will be discarded.
Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets
will be changed to the specified one. T1500 series, T1600G-18TS, T1600G-28TS
and T1600G-28PS do not support this option.

5) In the Policy section, enable or disable the QoS Remark feature for the matched
packets. With this option enabled, configure the related parameters, and the remarked
values will take effect in the QoS processing on the switch.
Figure 2-8

Configuring QoS Remark

DSCP

Specify the DSCP field for the matched packets. The DSCP field of the packets
will be changed to the specified one.

Local Priority

Specify the local priority for the matched packets. The local priority of the
packets will be changed to the specified one.

802.1p Priority

Specify the 802.1p priority for the matched packets. The 802.1p priority of the
packets will be changed to the specified one.

6) Click Apply.

Configuring IP ACL Rule

Click Edit ACL for an IP ACL entry to load the following page.

Configuration Guide

6

Configuring ACL

Figure 2-9

ACL Configuration

Configuring the IP ACL Rule

In ACL Rules Table section, click
Figure 2-10

and the following page will appear.

Configuring the IP ACL Rule

Follow these steps to configure the IP ACL rule:
Configuration Guide

7

Configuring ACL

ACL Configuration

1) In the IP ACL Rule section, configure the following parameters:
Rule ID

Enter an ID number to identify the rule.
It should not be the same as any current rule ID in the same ACL. If you select
Auto Assign, the rule ID will be assigned automatically and the interval between
rule IDs is 5.

Operation

Select an action to be taken when a packet matches the rule.
Permit: To forward the matched packets.
Deny: To discard the matched packets.

Fragment

With this option selected, the rule will be applied to all fragment packets except
for the last fragment packet in the fragment packet group.
T1500 series, T1600G-18TS, T1600G-28TS and T1600G-28PS do not support
this option.

S-IP/Mask

Enter the source IP address with a mask. A value of 1 in the mask indicates that
the corresponding bit in the address will be matched.

D-IP/Mask

Enter the destination IP address with a mask. A value of 1 in the mask indicates
that the corresponding bit in the address will be matched.

IP Protocol

Select a protocol type from the drop-down list. The default is No Limit, which
indicates that packets of all protocols will be matched. You can also select Userdefined to customize the IP protocol.

TCP Flag

If TCP protocol is selected, you can configure the TCP Flag to be used for the
rule’s matching operations. There are six flags and each has three options,
which are *, 0 and 1. The default is *, which indicates that the flag is not used for
matching operations.
URG: Urgent flag.
ACK: Acknowledge flag.
PSH: Push flag.
RST: Reset flag.
SYN: Synchronize flag.
FIN: Finish flag.

S-Port / D-Port

If TCP/UDP is selected as the IP protocol, specify the source and destination
port number with a mask.
Value: Specify the port number.
Mask: Specify the port mask with 4 hexadacimal numbers.

DSCP

Specify a DSCP value to be matched between 0 and 63. The default is No Limit.

IP ToS

Specify an IP ToS value to be matched between 0 and 15. The default is No Limit.

Configuration Guide

8

Configuring ACL

ACL Configuration

IP Pre

Specify an IP Precedence value to be matched to be matched between 0 and 7.
The default is No Limit.

Time Range

Select a time range during which the rule will take effect. The default value is No
Limit, which means the rule is always in effect. The Time Range referenced here
can be created on the SYSTEM > Time Range page.

Logging

Enable Logging function for the ACL rule. Then the times that the rule is matched
will be logged every 5 minutes and a related trap will be generated. You can refer
to Total Matched Counter in the ACL Rules Table to view the matching times.

2) In the Policy section, enable or disable the Mirroring feature for the matched packets.
With this option enabled, choose a destination port to which the packets will be
mirrored.
Figure 2-11

Configuring Mirroring

3) In the Policy section, enable or disable the Redirect feature for the matched packets.
With this option enabled, choose a destination port to which the packets will be
redirected.
Figure 2-12

Configuring Redirect

Note:

In the Mirroring feature, the matched packets will be copied to the destination port and the original
forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded
only on the destination port.

4) In the Policy section, enable or disable the Rate Limit feature for the matched packets.
With this option enabled, configure the related parameters.

Configuration Guide

9

Configuring ACL

Figure 2-13

ACL Configuration

Configuring Rate Limit

Rate

Specify the transmission rate for the matched packets.

Burst Size

Specify the maximum number of bytes allowed in one second.

Out of Band

Select the action for the packets whose rate is beyond the specified rate.
None: The packets will be forwarded normally.
Drop: The packets will be discarded.
Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets
will be changed to the specified one. T1500 series, T1600G-18TS, T1600G-28TS
and T1600G-28PS do not support this option.

5) In the Policy section, enable or disable the QoS Remark feature for the matched
packets. With this option enabled, configure the related parameters, and the remarked
values will take effect in the QoS processing on the switch.
Figure 2-14

Configuring QoS Remark

DSCP

Specify the DSCP field for the matched packets. The DSCP field of the packets
will be changed to the specified one.

Local Priority

Specify the local priority for the matched packets. The local priority of the
packets will be changed to the specified one.

802.1p Priority

Specify the 802.1p priority for the matched packets. The 802.1p priority of the
packets will be changed to the specified one.

6) Click Apply.

Configuring Combined ACL Rule

Click Edit ACL for a Combined ACL entry to load the following page.

Configuration Guide

10

Configuring ACL

Figure 2-15

ACL Configuration

Configuring the Combined ACL Rule

In ACL Rules Table section, click

and the following page will appear.

Configuration Guide

11

Configuring ACL

Figure 2-16

ACL Configuration

Configuring the Combined ACL Rule

Follow these steps to configure the Combined ACL rule:

1) In the Combined ACL Rule section, configure the following parameters:
Rule ID

Enter an ID number to identify the rule.
It should not be the same as any current rule ID in the same ACL. If you select
Auto Assign, the rule ID will be assigned automatically and the interval between
rule IDs is 5.

Configuration Guide

12

Configuring ACL

Operation

ACL Configuration

Select an action to be taken when a packet matches the rule.
Permit: To forward the matched packets.
Deny: To discard the matched packets.

Fragment

With this option selected, the rule will be applied to all fragment packets except
for the last fragment packet in the fragment packet group.
T1500 series, T1600G-28TS and T1600G-28PS do not support this option.

S-MAC/Mask

Enter the source MAC address with a mask. A value of 1 in the mask indicates
that the corresponding bit in the address will be matched.

D-MAC/Mask

Enter the destination IP address with a mask. A value of 1 in the mask indicates
that the corresponding bit in the address will be matched.

VLAN ID

Enter the ID number of the VLAN to which the ACL will apply.

EtherType

Specify the EtherType to be matched using 4 hexadecimal numbers.

S-IP/Mask

Enter the source IP address with a mask. A value of 1 in the mask indicates that
the corresponding bit in the address will be matched.

D-IP/Mask

Enter the destination IP address with a mask. A value of 1 in the mask indicates
that the corresponding bit in the address will be matched.

IP Protocol

Select a protocol type from the drop-down list. The default is No Limit, which
indicates that packets of all protocols will be matched. You can also select Userdefined to customize the IP protocol.

TCP Flag

If TCP protocol is selected, you can configure the TCP Flag to be used for the
rule’s matching operations. There are six flags and each has three options,
which are *, 0 and 1. The default is *, which indicates that the flag is not used for
matching operations.
URG: Urgent flag.
ACK: Acknowledge flag.
PSH: Push flag.
RST: Reset flag.
SYN: Synchronize flag.
FIN: Finish flag.

S-Port / D-Port

If TCP/UDP is selected as the IP protocol, specify the source and destination
port number with a mask.
Value: Specify the port number.
Mask: Specify the port mask with 4 hexadacimal numbers.

DSCP

Specify a DSCP value to be matched between 0 and 63. The default is No Limit.

Configuration Guide

13

Configuring ACL

ACL Configuration

IP ToS

Specify an IP ToS value to be matched between 0 and 15. The default is No Limit.

IP Pre

Specify an IP Precedence value to be matched to be matched between 0 and 7.
The default is No Limit.

User Priority

Specify the User Priority to be matched.

Time Range

Select a time range during which the rule will take effect. The default value is No
Limit, which means the rule is always in effect. The Time Range referenced here
can be created on the SYSTEM > Time Range page.

Logging

Enable Logging function for the ACL rule. Then the times that the rule is matched
will be logged every 5 minutes and a related trap will be generated. You can refer
to Total Matched Counter in the ACL Rules Table to view the matching times.

2) In the Policy section, enable or disable the Mirroring feature for the matched packets.
With this option enabled, choose a destination port to which the packets will be
mirrored.
Figure 2-17

Configuring Mirroring

3) In the Policy section, enable or disable the Redirect feature for the matched packets.
With this option enabled, choose a destination port to which the packets will be
redirected.
Figure 2-18

Configuring Redirect

Note:

In the Mirroring feature, the matched packets will be copied to the destination port and the original
forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded
only on the destination port.

Configuration Guide

14

Configuring ACL

ACL Configuration

4) In the Policy section, enable or disable the Rate Limit feature for the matched packets.
With this option enabled, configure the related parameters.
Figure 2-19

Configuring Rate Limit

Rate

Specify the transmission rate for the matched packets.

Burst Size

Specify the maximum number of bytes allowed in one second.

Out of Band

Select the action for the packets whose rate is beyond the specified rate.
None: The packets will be forwarded normally.
Drop: The packets will be discarded.
Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets
will be changed to the specified one. T1500 series, T1600G-18TS, T1600G-28TS
and T1600G-28PS do not support this option.

5) In the Policy section, enable or disable the QoS Remark feature for the matched
packets. With this option enabled, configure the related parameters, and the remarked
values will take effect in the QoS processing on the switch.
Figure 2-20

Configuring QoS Remark

DSCP

Specify the DSCP field for the matched packets. The DSCP field of the packets
will be changed to the specified one.

Local Priority

Specify the local priority for the matched packets. The local priority of the
packets will be changed to the specified one.

802.1p Priority

Specify the 802.1p priority for the matched packets. The 802.1p priority of the
packets will be changed to the specified one.

6) Click Apply.

Configuring the IPv6 ACL Rule

Click Edit ACL for an IPv6 ACL entry to load the following page.

Configuration Guide

15

Configuring ACL

Figure 2-21

ACL Configuration

Configuring the IPv6 ACL Rule

In ACL Rules Table section, click
Figure 2-22

and the following page will appear.

Configuring the IPv6 ACL Rule

Follow these steps to configure the IPv6 ACL rule:

1) In the IPv6 ACL Rule section, configure the following parameters:

Configuration Guide

16

Configuring ACL

Rule ID

ACL Configuration

Enter an ID number to identify the rule.
It should not be the same as any current rule ID in the same ACL. If you select
Auto Assign, the rule ID will be assigned automatically and the interval between
rule IDs is 5.

Operation

Select an action to be taken when a packet matches the rule.
Permit: To forward the matched packets.
Deny: To discard the matched packets.

IPv6 Class

Specify an IPv6 class value to be matched. The switch will check the class field of
the IPv6 header.

Flow Label

Specify a Flow Label value to be matched.

IPv6 Source IP

Enter the source IPv6 address to be matched. All types of IPv6 address will be
checked. You may enter a complete 128-bit IPv6 address but only the first 64
bits will be valid.

Mask

The mask is required if the source IPv6 address is entered. Enter the mask in
complete format (for example, FFFF:FFFF:0000:FFFF).
The IP address mask specifies which bits in the source IPv6 address to match the
rule. A value of 1 in the mask indicates that the corresponding bit in the address
will be matched.

IPv6 Destination
IP

Enter the destination IPv6 address to be matched. All types of IPv6 address will
be checked. You may enter a complete 128-bit IPv6 address but only the first 64
bits will be valid.

Mask

The mask is required if the destination IPv6 address is entered. Enter the
complete mask (for example, FFFF:FFFF:0000:FFFF).
The IP address mask specifies which bits in the source IP address to match the
rule. A value of 1 in the mask indicates that the corresponding bit in the address
will be matched.

IP Protocol

Select a protocol type from the drop-down list.
No Limit: Packets of all protocols will be matched.
UDP: Specify the source port and destination port for the UDP packet to be
matched.
TCP: Specify the source port and destination port for the TCP packet to be
matched.
User-defined: You can customize an IP protocol.

S-Port / D-Port

If TCP/UDP is selected as the IP protocol, specify the source and destination
port numbers.

Configuration Guide

17

Configuring ACL

ACL Configuration

Time Range

Select a time range during which the rule will take effect. The default value is No
Limit, which means the rule is always in effect. The Time Range referenced here
can be created on the SYSTEM > Time Range page.

2) In the Policy section, enable or disable the Mirroring feature for the matched packets.
With this option enabled, choose a destination port to which the packets will be
mirrored.
Figure 2-23

Configuring Mirroring

3) In the Policy section, enable or disable the Redirect feature for the matched packets.
With this option enabled, choose a destination port to which the packets will be
redirected.
Figure 2-24

Configuring Redirect

Note:

In the Mirroring feature, the matched packets will be copied to the destination port and the original
forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded
only on the destination port.

4) In the Policy section, enable or disable the Rate Limit feature for the matched packets.
With this option enabled, configure the related parameters.
Figure 2-25

Configuring Rate Limit

Configuration Guide

18

Configuring ACL

ACL Configuration

Rate

Specify the transmission rate for the matched packets.

Burst Size

Specify the maximum number of bytes allowed in one second.

Out of Band

Select the action for the packets whose rate is beyond the specified rate.
None: The packets will be forwarded normally.
Drop: The packets will be discarded.
Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets
will be changed to the specified one. T1500 series, T1600G-18TS, T1600G-28TS
and T1600G-28PS.

5) In the Policy section, enable or disable the QoS Remark feature for the matched
packets. With this option enabled, configure the related parameters, and the remarked
values will take effect in the QoS processing on the switch.
Figure 2-26

Configuring QoS Remark

DSCP

Specify the DSCP field for the matched packets. The DSCP field of the packets
will be changed to the specified one.

Local Priority

Specify the local priority for the matched packets. The local priority of the
packets will be changed to the specified one.

802.1p Priority

Specify the 802.1p priority for the matched packets. The 802.1p priority of the
packets will be changed to the specified one.

6) Click Apply.

Configuring the Packet Content ACL Rule
Only T2600G series support this feature.

Click Edit ACL for a Packet Content ACL entry to load the following page.

Configuration Guide

19

Configuring ACL

Figure 2-27

ACL Configuration

Configuring the Packet Content ACL Rule

In the Packet Content Offset Profile Global Config section, configure the Chunk Offset.
Click Apply.
Chunk0 Offset/
Chunk1 Offset/
Chunk2 Offset/
Chunk3 Offset

Enter the offset of a chunk. Packet Content ACL analyzes and processes data
packets based on 4 chunk match conditions, and each chunk can specify a userdefined 4-byte segment carried in the packet’s first 128 bytes. Offset 31 matches
the 127, 128, 1, 2 bytes of the packet, offset 0 matches the 3,4,5,6 bytes of the
packet, and so on, for the rest of the offset value.

Note: All 4 chunks must be set at the same time.

In ACL Rules Table section, click

and the following page will appear.

Configuration Guide

20

Configuring ACL

Figure 2-28

ACL Configuration

Configuring the Packet Content ACL Rule

Follow these steps to configure the Packet Content ACL rule:

1) In the Packet Content Rule section, configure the following parameters:
Rule ID

Enter an ID number to identify the rule.
It should not be the same as any current rule ID in the same ACL. If you select
Auto Assign, the rule ID will be assigned automatically and the interval between
rule IDs is 5.

Operation

Select an action to be taken when a packet matches the rule.
Permit: To forward the matched packets.
Deny: To discard the matched packets.

Chunk0-Chunk3

Specify the EtherType to be matched using 4 hexadecimal numbers.

Configuration Guide

21

Configuring ACL

ACL Configuration

Chunk Value

Enter the 4-byte value in hexadecimal for the desired chunk, like ‘0000ffff’. The
Packet Content ACL will check this chunk of packets to examine if the packets
match the rule or not.

Chunk Mask

Enter the 4-byte mask in hexadecimal for the desired chunk. The mask must be
written completely in 4-byte hex mode, like ‘0000ffff’. The mask specifies which
bits to match the rule.

Time Range

Select a time range during which the rule will take effect. The default value is No
Limit, which means the rule is always in effect. The Time Range referenced here
can be created on the SYSTEM > Time Range page.

Logging

Enable Logging function for the ACL rule. Then the times that the rule is matched
will be logged every 5 minutes and a related trap will be generated. You can refer
to Total Matched Counter in the ACL Rules Table to view the matching times.

2) In the Policy section, enable or disable the Mirroring feature for the matched packets.
With this option enabled, choose a destination port to which the packets will be
mirrored.
Figure 2-29

Configuring Mirroring

3) In the Policy section, enable or disable the Redirect feature for the matched packets.
With this option enabled, choose a destination port to which the packets will be
redirected.
Figure 2-30

Configuring Redirect

Configuration Guide

22

Configuring ACL

ACL Configuration

Note:

In the Mirroring feature, the matched packets will be copied to the destination port and the original
forwarding will not be affected. While in the Redirect feature, the matched packets will be forwarded
only on the destination port.

4) In the Policy section, enable or disable the Rate Limit feature for the matched packets.
With this option enabled, configure the related parameters.
Figure 2-31

Configuring Rate Limit

Rate

Specify the transmission rate for the matched packets.

Burst Size

Specify the maximum number of bytes allowed in one second.

Out of Band

Select the action for the packets whose rate is beyond the specified rate.
None: The packets will be forwarded normally.
Drop: The packets will be discarded.
Remark DSCP: You can specify a DSCP value, and the DSCP field of the packets
will be changed to the specified one. T1500 series, T1600G-18TS, T1600G-28TS
and T1600G-28PS do not support this option.

5) In the Policy section, enable or disable the QoS Remark feature for the matched
packets. With this option enabled, configure the related parameters, and the remarked
values will take effect in the QoS processing on the switch.
Figure 2-32

Configuring QoS Remark

DSCP

Specify the DSCP field for the matched packets. The DSCP field of the packets
will be changed to the specified one.

Local Priority

Specify the local priority for the matched packets. The local priority of the
packets will be changed to the specified one.

802.1p Priority

Specify the 802.1p priority for the matched packets. The 802.1p priority of the
packets will be changed to the specified one.

6) Click Apply.

Configuration Guide

23

Configuring ACL

ACL Configuration

Viewing the ACL Rules

The rules in an ACL are listed in ascending order of their rule IDs. The switch matches a
received packet with the rules in order. When a packet matches a rule, the switch stops the
match process and performs the action defined in the rule.
Click Edit ACL for an entry you have created and you can view the rule table. We take IP
ACL rules table for example.
Figure 2-33

Viewing ACL Rules Table

Here you can view and edit the ACL rules. You can also click Resequence to resequence
the rules by providing a Start Rule ID and Step value.

2.1.4 Configuring ACL Binding
You can bind the ACL to a port or a VLAN. The received packets on the port or in the VLAN
will then be matched and processed according to the ACL rules. An ACL takes effect only
after it is bound to a port or VLAN.
Note:
•

Different types of ACLs cannot be bound to the same port or VLAN.

•

Multiple ACLs of the same type can be bound to the same port or VLAN. The switch matches
the received packets using the ACLs in order. The ACL that is bound earlier has a higher priority.

Binding the ACL to a Port

Choose the menu SECURITY > ACL > ACL Binding > Port Binding and click
the following page.

to load

Configuration Guide

24

Configuring ACL

Figure 2-34

ACL Configuration

Binding the ACL to a Port

Follow these steps to bind the ACL to a Port:

1) Choose ID or Name to be used for matching the ACL. Then select an ACL from the
drop-down list.
2) Specify the port to be bound.
3) Click Create.

 Binding the ACL to a VLAN
Choose the menu SECURITY > ACL > ACL Binding > VLAN Binding to load the following
page.
Figure 2-35

Binding the ACL to a VLAN

Follow these steps to bind the ACL to a VLAN:

1) Choose ID or Name to be used for matching the ACL. Then select an ACL from the
drop-down list.
2) Enter the ID of the VLAN to be bound.
3) Click Create.

Configuration Guide

25

Configuring ACL

2.2

ACL Configuration

Using the CLI

2.2.1 Configuring Time Range
Some ACL-based services or features may need to be limited to take effect only during a
specified time period. In this case, you can configure a time range for the ACL. For details
about Time Range Configuration, please refer to Managing System.

2.2.2 Configuring ACL
Follow the steps to create different types of ACL and configure the ACL rules.
You can define the rules based on source or destination IP address, source or destination
MAC address, protocol type, port number and others.

MAC ACL

Follow these steps to configure MAC ACL:
Step 1

configure

Step 2

access-list create acl-id [name acl-name ]

Enter global configuration mode.

Create a MAC ACL.

acl-id: Enter an ACL ID. The ID ranges from 0 to 499.
acl-name: Enter a name to identify the ACL.

Configuration Guide

26

Configuring ACL

Step 3

ACL Configuration

access-list mac acl-id-or-name rule { auto | rule-id } { deny | permit } logging {enable | disable}
[ smac source-mac smask source-mac-mask ] [dmac destination-mac dmask destination-macmask ] [type ether-type] [pri dot1p-priority ] [vid vlan-id ] [tseg time-range-name ]
Add a MAC ACL Rule.

acl-id-or-name : Enter the ID or name of the ACL that you want to add a rule for.

auto: The rule ID will be assigned automatically and the interval between rule IDs is 5.
rule-id : Assign an ID to the rule.
deny | permit: Specify the action to be taken with the packets that match the rule. By default, it
is set to permit. The packets will be discarded if “deny” is selected and forwarded if “permit” is
selected.
logging {enable | disable}: Enable or disable Logging function for the ACL rule. If "enable" is
selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter
trap enabled, a related trap will be generated if the matching times changes.

source-mac : Enter the source MAC address. The format is FF:FF:FF:FF:FF:FF.
source-mac-mask : Enter the mask of the source MAC address. This is required if a source MAC
address is entered. The format is FF:FF:FF:FF:FF:FF.
destination-mac : Enter the destination MAC address. The format is FF:FF:FF:FF:FF:FF.
destination-mac-mask : Enter the mask of the destination MAC address. This is required if a
destination MAC address is entered. The format is FF:FF:FF:FF:FF:FF.
ether-type: Specify an Ethernet-type with 4 hexadecimal numbers.

dot1p-priority : The user priority ranges from 0 to 7. The default is No Limit.
vlan-id : The VLAN ID ranges from 1 to 4094.
time-range-name : The name of the time-range. The default is No Limit.
Step 4

exit

Step 5

show access-list [ acl-id-or-name ]

Return to global configuration mode.

Display the current ACL configuration.

acl-id-or-name : The ID number or name of the ACL.
Step 6

end

Step 7

copy running-config startup-config

Return to privileged EXEC mode.

Save the settings in the configuration file.

The following example shows how to create MAC ACL 50 and configure Rule 5 to permit
packets with source MAC address 00:34:A2:D4:34:B5:
Switch#configure

Configuration Guide

27

Configuring ACL

ACL Configuration

Switch(config)#access-list create 50
Switch(config-mac-acl)#access-list mac 50 rule 5 permit logging disable smac
00:34:A2:D4:34:B5 smask FF:FF:FF:FF:FF:FF
Switch(config-mac-acl)#exit
Switch(config)#show access-list 50
MAC access list 50 name: ACL_50
rule 5 permit logging disable smac 00:34:a2:d4:34:b5 smask ff:ff:ff:ff:ff:ff
Switch(config)#end
Switch#copy running-config startup-config

IP ACL

Follow these steps to configure IP ACL:
Step 1

configure

Step 2

access-list create acl-id [name acl-name ]

Enter global configuration mode.

Create an IP ACL.

acl-id: Enter an ACL ID. The ID ranges from 500 to 999.
acl-name: Enter a name to identify the ACL.

Configuration Guide

28

Configuring ACL

Step 3

ACL Configuration

access-list ip acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable} [sip
sip-address sip-mask sip-address-mask ] [ dip dip-address dip-mask dip-address-mask ] [dscp
dscp-value ] [tos tos-value ] [pre pre-value ] [frag {enable | disable}] [protocol protocol [s-port
s-port-number s-port-mask s-port-mask] [d-port d-port-number d-port-mask d-port-mask]
[tcpflag tcpflag ]] [tseg time-range-name]
Add rules to the ACL.

acl-id-or-name : Enter the ID or name of the ACL that you want to add a rule for.

auto: The rule ID will be assigned automatically and the interval between rule IDs is 5.
rule-id : Assign an ID to the rule.
deny | permit: Specify the action to be taken with the packets that match the rule. Deny means
to discard; permit means to forward. By default, it is set to permit.
logging {enable | disable}: Enable or disable Logging function for the ACL rule. If "enable" is
selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter
trap enabled, a related trap will be generated if the matching times changes.

sip-address: Enter the source IP address.
sip-address-mask: Enter the mask of the source IP address. This is required if a source IP
address is entered.
dip-address: Enter the destination IP address.
dip-address-mask: Enter the mask of the destination IP address. This is required if a destination
IP address is entered.
dscp-value: Specify the DSCP value between 0 and 63.

tos-value: Specify an IP ToS value to be matched between 0 and 15.

pre-value: Specify an IP Precedence value to be matched between 0 and 7.

frag {enable | disable}: Enable or disable matching of fragmented packets. The default is
disable. When enabled, the rule will apply to all fragmented packets and always permit to
forward the last fragment of a packet. T1500 series, T1600G-18TS, T1600G-28TS and
T1600G-28PS do not support this option.

protocol: Specify a protocol number between 0 and 255.

s-port-number: With TCP or UDP configured as the protocol, specify the source port number.

s-port-mask: With TCP or UDP configured as the protocol, specify the source port mask with 4
hexadacimal numbers.

d-port-number: With TCP or UDP configured as the protocol, specify the destination port
number.
d-port-mask: With TCP or UDP configured as the protocol, specify the destination port mask
with 4 hexadacimal numbers.
tcpflag: With TCP configured as the protocol, specify the flag value using either binary numbers
or * (for example, 01*010*). The default is *, which indicates that the flag will not be matched.
The flags are URG (Urgent flag), ACK (Acknowledge Flag), PSH (Push Flag), RST (Reset Flag),
SYN (Synchronize Flag) and FIN (Finish Flag).

time-range-name: The name of the time-range. The default is No Limit.

Configuration Guide

29

Configuring ACL

ACL Configuration

Step 4

end

Step 5

copy running-config startup-config

Return to privileged EXEC mode.

Save the settings in the configuration file.

The following example shows how to create IP ACL 600, and configure Rule 1 to permit
packets with source IP address 192.168.1.100:
Switch#configure
Switch(config)#access-list create 600
Switch(config)#access-list ip 600 rule 1 permit logging disable sip 192.168.1.100 sipmask 255.255.255.255
Switch(config)#show access-list 600
IP access list 600 name: ACL_600
rule 1 permit logging disable sip 192.168.1.100 smask 255.255.255.255
Switch(config)#end
Switch#copy running-config startup-config

Combined ACL

Follow these steps to configure Combined ACL:
Step 1

configure

Step 2

access-list create acl-id [name acl-name ]

Enter global configuration mode

Create a Combined ACL.

acl-id: Enter an ACL ID. The ID ranges from 1000 to 1499.
acl-name: Enter a name to identify the ACL.

Configuration Guide

30

Configuring ACL

Step 3

ACL Configuration

access-list combined acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable |
disable} [smac source-mac-address smask source-mac-mask ] [dmac dest-mac-address dmask
dest-mac-mask ] [vid vlan-id ] [type ether-type ] [pri priority ] [sip sip-address sip-mask sipaddress-mask ] [dip dip-address dip-mask dip-address-mask ] [dscp dscp-value ] [tos tos-value]
[pre pre-value] [frag {enable | disable}] [protocol protocol [s-port s-port-number s-port-mask
s-port-mask ] [d-port d-port-number d-port-mask d-port-mask] [tcpflag tcpflag ]] [tseg timerange-name ]
Add rules to the ACL.

acl-id-or-name : Enter the ID or name of the ACL that you want to add a rule for.

auto: The rule ID will be assigned automatically and the interval between rule IDs is 5.
rule-id : Assign an ID to the rule.
deny | permit: Specify the action to be taken with the packets that match the rule. Deny means
to discard; permit means to forward. By default, it is set to permit.
logging {enable | disable}: Enable or disable Logging function for the ACL rule. If "enable" is
selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter
trap enabled, a related trap will be generated if the matching times changes.

source-mac-address : Enter the source MAC address.

source-mac-mask : Enter the source MAC address mask.
dest-mac-address : Enter the destination MAC address.

dest-mac-mask : Enter the destination MAC address mask. This is required if a destination MAC
address is entered.
vlan-id : The VLAN ID ranges from 1 to 4094.

ether-type : Specify the Ethernet-type with 4 hexadecimal numbers.

priority : The user priority ranges from 0 to 7. The default is No Limit.
sip-address : Enter the source IP address.

sip-address-mask : Enter the mask of the source IP address. It is required if source IP address is
entered.
dip-address : This is required if a source IP address is entered.

dip-address-mask : Enter the destination IP address mask. This is required if a destination IP
address is entered.
dscp-value: Specify the DSCP value between 0 and 63.

tos-value: Specify an IP ToS value to be matched between 0 and 15.

pre-value: Specify an IP Precedence value to be matched between 0 and 7.

Configuration Guide

31

Configuring ACL

ACL Configuration

frag {enable | disable}: Enable or disable matching of fragmented packets. The default is
disable. When enabled, the rule will apply to all fragmented packets and always permit to
forward the last fragment of a packet.

protocol: Specify a protocol number between 0 and 255.

s-port-number: With TCP or UDP configured as the protocol, specify the source port number.

s-port-mask: With TCP or UDP configured as the protocol, specify the source port mask with 4
hexadacimal numbers.

d-port-number: With TCP or UDP configured as the protocol, specify the destination port
number.
d-port-mask: With TCP or UDP configured as the protocol, specify the destination port mask
with 4 hexadacimal numbers.
tcpflag: With TCP configured as the protocol, specify the flag value using either binary numbers
or * (for example, 01*010*). The default is *, which indicates that the flag will not be matched.
The flags are URG (Urgent flag), ACK (Acknowledge Flag), PSH (Push Flag), RST (Reset Flag),
SYN (Synchronize Flag), and FIN (Finish Flag).

time-range-name : The name of the time-range. The default is No Limit.
Step 4

end

Step 5

copy running-config startup-config

Return to privileged EXEC mode.

Save the settings in the configuration file.

The following example shows how to create Combined ACL 1100 and configure Rule 1 to
deny packets with source IP address 192.168.3.100 in VLAN 2:
Switch#configure
Switch(config)#access-list create 1100
Switch(config)#access-list combined 1100 logging disable rule 1 permit vid 2 sip
192.168.3.100 sip‑mask 255.255.255.255
Switch(config)#show access-list 2600
Combined access list 2600 name: ACL_2600
rule 1 permit logging disable vid 2 sip 192.168.3.100 sip-mask 255.255.255.255
Switch(config)#end
Switch#copy running-config startup-config

IPv6 ACL

Follow these steps to configure IPv6 ACL:
Step 1

configure

Enter global configuration mode

Configuration Guide

32

Configuring ACL

Step 2

ACL Configuration

access-list create acl-id [name acl-name ]
Create an IPv6 ACL.

acl-id: Enter an ACL ID. The ID ranges from 1500 to 1999.
acl-name: Enter a name to identify the ACL.
Step 3

access-list ipv6 acl-id-or-name rule {auto | rule-id } {deny | permit} logging {enable | disable}
[class class-value] [flow-label flow-label-value ] [sip source-ip-address sip-mask source-ip-mask
] [dip destination-ip-address dip-mask destination-ip-mask ] [s-port source-port-number ] [d-port
destination-port-number ] [tseg time-range-name]
Add rules to the ACL.

acl-id-or-name : Enter the ID or name of the ACL that you want to add a rule for.

auto: The rule ID will be assigned automatically and the interval between rule IDs is 5.
rule-id : Assign an ID to the rule.
deny | permit: Specify the action to be taken with the packets that match the rule. Deny means
to discard; permit means to forward. By default, it is set to permit.
logging {enable | disable}: Enable or disable Logging function for the ACL rule. If "enable" is
selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter
trap enabled, a related trap will be generated if the matching times changes.

class-value : Specify a class value to be matched. It ranges from 0 to 63.
flow-label-value : Specify a Flow Label value to be matched.
source-ip-address: Enter the source IP address. Enter the destination IPv6 address to be
matched. All types of IPv6 address will be checked. You may enter a complete 128-bit IPv6
address but only the first 64 bits will be valid.
source-ip-mask: Enter the source IP address mask. The mask is required if the source IPv6
address is entered. Enter the mask in complete format (for example, ffff:ffff:0000:ffff). The
mask specifies which bits in the source IPv6 address to match the rule.
destination-ip-address : Enter the destination IPv6 address to be matched. All types of IPv6
address will be checked. You may enter a complete 128-bit IPv6 addresses but only the first
64 bits will be valid.
destination-ip-mask: Enter the source IP address mask. The mask is required if the source IPv6
address is entered. Enter the mask in complete format (for example, ffff:ffff:0000:ffff). The
mask specifies which bits in the source IPv6 address to match the rule.
source-port-number : Enter the TCP/UDP source port if TCP/UDP protocol is selected.
destination-port-number : Enter the TCP/UDP destination port if TCP/UDP protocol is selected.
time-range-name : The name of the time-range. The default is No Limit.
Step 4

end

Step 5

copy running-config startup-config

Return to privileged EXEC mode.

Save the settings in the configuration file.

Configuration Guide

33

Configuring ACL

ACL Configuration

The following example shows how to create IPv6 ACL 1600 and configure Rule 1 to deny
packets with source IPv6 address CDCD:910A:2222:5498:8475:1111:3900:2020:
Switch#configure
Switch(config)#access-list create 1600
Switch(config)#access-list ipv6 1600 rule 1 deny logging disable sip
CDCD:910A:2222:5498:8475:1111:3900:2020 sip-mask ffff:ffff:ffff:ffff
Switch(config)#show access-list 1600
IPv6 access list 1600 name: ACL_1600
rule 1 deny logging disable sip cdcd:910a:2222:5498:8475:1111:3900:2020 sip-mask ffff:ff
ff:ffff:ffff
Switch(config)#end
Switch#copy running-config startup-config

Packet Content ACL

Only T2600G series support this feature.
Follow these steps to configure Packet Content ACL:
Step 1

configure

Step 2

access-list create acl-id [name acl-name ]

Enter global configuration mode

Create a Packet Content ACL.

acl-id: Enter an ACL ID. The ID ranges from 2000 to 2499.
acl-name: Enter a name to identify the ACL.
Step 3

access-list packet-content profile chunk-offset0 offset0 chunk-offset1 offset1
chunk-offset2 offset2 chunk-offset3 offset3
Specify the offset of each chunk, all the 4 chunks must be set at the same time.

offset0 -offset3 : Specify the offset of each chunk, the value ranges from 0 to 31. When
the offset is set as 31, it matches the first 127,128, 1, 2 bytes of the packet; when the
offset is set as 0, it matches the 3, 4, 5, 6 bytes, and so on, for the rest of the offset
value.

Configuration Guide

34

Configuring ACL

Step 4

ACL Configuration

access-list packet-content config acl-id-or-name rule { auto | rule-id } {deny | permit}
logging { enable | disable } [chunk0 value mask0 mask ] [chunk1 value mask1 mask ]
[chunk2 value mask2 mask ] [chunk3 value mask3 mask ] [tseg time-range-name]
Add rules to the ACL.

acl-id-or-name : Enter the ID or name of the ACL that you want to add a rule for.

auto: The rule ID will be assigned automatically and the interval between rule IDs is 5.

rule-id : Assign an ID to the rule.
deny | permit: Specify the action to be taken with the packets that match the rule. Deny
means to discard; permit means to forward. By default, it is set to permit.
logging { enable | disable} : Enable or disable Logging function for the ACL rule. If
"enable" is selected, the times that the rule is matched will be logged every 5 minutes.
With ACL Counter trap enabled, a related trap will be generated if the matching times
changes.

value : Enter the 4-byte value in hexadecimal for the desired chunk, like ‘0000ffff’. The
Packet Content ACL will check this chunk of packets to examine if the packets match
the rule or not.

mask: Enter the 4-byte mask in hexadecimal for the desired chunk. The mask must be
written completely in 4-byte hex mode, like ‘0000ffff’. The mask specifies which bits to
match the rule.
time-range-name : The name of the time-range. The default is No Limit.
Step 5

end

Step 6

copy running-config startup-config

Return to privileged EXEC mode.

Save the settings in the configuration file.

The following example shows how to create Packet Content ACL 2000, and deny the
packets with the value of its chunk1 0x58:
Switch#configure
Switch(config)#access-list create 2000
Switch(config)#access-list packet-content profile chunk-offset0 offset0 chunk-offset1
offset1 chunk-offset2 offset2 chunk-offset3 offset3
Switch(config)#packet-content config 2000 rule 10 deny logging disable chunk1 58
mask1 ffffffff
Switch(config)#show access-list 2000
Packet content access list 2000 name: ACL_2000
rule 10 deny logging disable chunk1 value 0x58 mask 0xffffffff
Switch(config)#end
Switch#copy running-config startup-config
Configuration Guide

35

Configuring ACL

ACL Configuration

Resequencing Rules

You can resequence the rules by providing a Start Rule ID and Step value.
Step 1

configure

Step 2

access-list resequence acl-id-or-name start start-rule-id step rule-id-step-value

Enter global configuration mode.

Resequence the rules of the specific ACL.

acl-id-or-name : Enter the ID or name of the ACL.
start-rule-id : Enter the start rule ID.

rule-id-step-value : Enter the Step value.
Step 3

end

Step 4

copy running-config startup-config

Return to privileged EXEC mode.

Save the settings in the configuration file.

The following example shows how to resequence the rules of MAC ACL 100: set the start
rule ID as 1 and the step value as 10:
Switch#configure
Switch(config)#access-list resequence 100 start 1 step 10
Switch(config)#show access-list 100
MAC access list 100 name: “ACL_100”
rule 1 deny logging disable smac aa:bb:cc:dd:ee:ff smask ff:ff:ff:ff:ff:ff
rule 11 permit logging disable vid 18
rule 21 permit logging disable dmac aa:cc:ee:ff:dd:33 dmask ff:ff:ff:ff:ff:ff
Switch(config)#end
Switch#copy running-config startup-config

2.2.3 Configuring Policy
Policy allows you to further process the matched packets through operations such as
mirroring, rate-limiting, redirecting, or changing priority.
Follow the steps below to configure the policy actions for an ACL rule.
Step 1

configure

Enter global configuration mode.

Configuration Guide

36

Configuring ACL

Step 2

ACL Configuration

access-list action acl-id-or-name rule rule-id
Configure the policy actions for an ACL rule.

acl-id-or-name : Enter the ID or name of the ACL.
rule-id : Enter the ID of the ACL rule.
Step 3

redirect interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port }
(Optional) Define the policy to redirect the matched packets to the desired port.

port : The destination port to which the packets will be redirected. The default is All.

s-mirror interface { fastEthernet port | gigabitEthernet port | ten-gigabitEthernet port }

(Optional) Define the policy to mirror the matched packets to the desired port.

port : The destination port to which the packets will be mirrored.

s-condition rate rate burst burst-size osd { none | discard | remark dscp dscp }

(Optional) Define the policy to monitor the rate of the matched packets.

rate : Specify a rate from 1 to 1000000 kbps.
burst-size : Specify the number of bytes allowed in one second ranging from 1 to 128.
osd: Select either “none”, “discard” or “remark dscp” as the action to be taken for the packets
whose rate is beyond the specified rate. The default is None. When “remark dscp” is selected,
you also need to specify the DSCP value for the matched packets. The DSCP value ranges
from 0 to 63. T1500 series, T1600G-18TS, T1600G-28TS and T1600G-28PS do not support
DSCP option.

qos-remark [dscp dscp ] [ priority pri ] [ dot1p pri ]
(Optional) Define the policy to remark priority for the matched packets.

dscp : Specify the DSCP region for the data packets. The value ranges from 0 to 63.
priority pri : Specify the local priority for the data packets. The value ranges from 0 to 7.
dot1p pri: Specify the 802.1p priority for the data packets. The value ranges from 0 to 7.
Step 4

end

Step 5

copy running-config startup-config

Return to privileged EXEC mode.

Save the settings in the configuration file.

Redirect the matched packets to port 1/0/4 for rule 1 of MAC ACL 10:
Switch#configure
Switch(config)#access-list action 10 rule 1
Configuration Guide

37

Configuring ACL

ACL Configuration

Switch(config-action)#redirect interface gigabitEthernet 1/0/4
Switch(config-action)#exit
Switch(config)#show access-list 10
MAC access list 10 name: ACL_10
rule 5 permit logging disable action redirect Gi1/0/4
Switch(config)#end
Switch#copy running-config startup-config

2.2.4 Configuring ACL Binding
You can bind the ACL to a port or a VLAN. The received packets on the port or in the VLAN
will then be matched and processed according to the ACL rules. An ACL takes effect only
after it is bound to a port or VLAN.
Note:
•

Different types of ACLs cannot be bound to the same port or VLAN.

•

Multiple ACLs of the same type can be bound to the same port or VLAN. The switch matches
the received packets using the ACLs in order. The ACL that is bound earlier has a higher priority.

Follow the steps below to bind ACL to a port or a VLAN:
Step 1

configure

Step 2

access-list bind acl-id-or-name interface { [ vlan vlan-list ] | [ fastEthernet port-list ] | [
gigabitEthernet port-list ] | [ ten-gigabitEthernet port-list ] }

Enter global configuration mode

Bind the ACL to a port or a VLAN.

acl-id-or-name : Enter the ID or name of the ACL that you want to add a rule for.

vlan-list : Specify the ID or the ID list of the VLAN(s) that you want to bind the ACL to. The valid
values are from 1 to 4094, for example, 2-3,5.
port-list : Specify the number or the list of the Ethernet port that you want to bind the ACL to.
Step 3

show access-list bind

Step 4

end

Step 5

copy running-config startup-config

View the ACL binding configuration.

Return to privileged EXEC mode.

Save the settings in the configuration file.

The following example shows how to bind ACL 1 to port 3 and VLAN 4:
Configuration Guide

38

Configuring ACL

ACL Configuration

Switch#configure
Switch(config)#access-list bind 1 interface vlan 4 gigabitEthernet 1/0/3
SSwitch(config)#show access-list bind
ACL ID

ACL NAME

Interface/VID

Direction

Type

-----

----------

-------------

-------

----

1

ACL_1

Gi1/0/3

Ingress

Port

1

ACL_1

Ingress

VLAN

4

Switch(config)#end
Switch#copy running-config startup-config

2.2.5 Viewing ACL Counting
You can use the following command to view the number of matched packets of each ACL
in the privileged EXEC mode and any other configuration mode:
show access-list acl-id-or-name counter

View the number of matched packets of the specific ACL.

acl-id-or-name: Specify the ID or name of the ACL to be viewed.

Configuration Guide

39

Configuring ACL

Configuration Example for ACL

3

Configuration Example for ACL

3.1

Network Requirements
As shown below, a company’s internal server group can provide different types of services.
Computers in the Marketing department are connected to the switch via port 1/0/1 , and
the internal server group is connected to the switch via port 1/0/2.
Figure 3-1

Network Topology
Gi1/0/2
Gi1/0/1

Server Group

IP: 10.10.80.0/24

Marketing

IP: 10.10.70.0/24

It is required that:
 The Marketing department can only access internal server group in the intranet.
 The Marketing department can only visit http and https websites on the internet.

3.2

Configuration Scheme
To meet the requirements above, you can set up packet filtering by creating an IP ACL and
configuring rules for it.
 ACL Configuration
Create an IP ACL and configure the following rules for it:

Configuration Guide

40

Configuring ACL

Configuration Example for ACL

 Configure a permit rule to match packets with source IP address 10.10.70.0/24, and
destination IP address 10.10.80.0/24. This rule allows the Marketing department to
access internal network servers from intranet.
 Configure four permit rules to match the packets with source IP address 10.10.70.0/24,
and destination ports TCP 80, TCP 443 and TCP/UDP 53. These allow the Marketing
department to visit http and https websites on the internet.
 Configure a deny rule to match the packets with source IP address 10.10.70.0/24. This
rule blocks other network services.

The switch matches the packets with the rules in order, starting with Rule 1. If a packet
matches a rule, the switch stops the matching process and initiates the action defined in
the rule.
 Binding Configuration
Bind the IP ACL to port 1/0/1 so that the ACL rules will apply to the Marketing department
only.
Demonstrated with T2600G-28TS, the following sections explain the configuration
procedure in two ways: using the GUI and using the CLI.

3.3

Using the GUI
1) Choose the menu SECURITY > ACL > ACL Config and click
page. Then create an IP ACL for the marketing department.
Figure 3-2

to load the following

Creating an IP ACL

2) Click Edit ACL in the Operation column.

Configuration Guide

41

Configuring ACL

Figure 3-3

Configuration Example for ACL

Editing IP ACL

3) On the ACL configuration page, click
Figure 3-4

.

Editing IP ACL

4) Configure rule 1 to permit packets with the source IP address 10.10.70.0/24 and
destination IP address 10.10.80.0/24.
Figure 3-5

Configuring Rule 1

Configuration Guide

42

Configuring ACL

Configuration Example for ACL

5) In the same way, configure rule 2 and rule 3 to permit packets with source IP 10.10.70.0
and destination port TCP 80 (http service port) and TCP 443 (https service port).
Figure 3-6

Configuring Rule 2

Configuration Guide

43

Configuring ACL

Figure 3-7

Configuration Example for ACL

Configuring Rule 3

Configuration Guide

44

Configuring ACL

Configuration Example for ACL

6) In the same way, configure rule 4 and rule 5 to permit packets with source IP 10.10.70.0
and with destination port TCP 53 or UDP 53 (DNS service port).
Figure 3-8

Configuring Rule 4

Configuration Guide

45

Configuring ACL

Figure 3-9

Configuration Example for ACL

Configuring Rule 5

7) In the same way, configure rule 6 to deny packets with source IP 10.10.70.0.
Figure 3-10

Configuring Rule 6

Configuration Guide

46

Configuring ACL

Configuration Example for ACL

8) Choose the menu SECURITY > ACL > ACL Binding and click
following page. Bind Policy Market to port 1/0/1 to make it take effect.
Figure 3-11

9) Click

3.4

to load the

Binding the Policy to Port 1/0/1

to save the settings.

Using the CLI
1) Create an IP ACL.
Switch#configure
Switch(config)#access-list create 500 name marketing

2) Configure rule 1 to permit packets with source IP 10.10.70.0/24 and destination IP
10.10.80.0/24.
Switch(config)#access-list ip 500 rule 1 permit logging disable sip 10.10.70.0 sip-mask
255.255.255.0 dip 10.10.80.0 dmask 255.255.255.0

3) Configure rule 2 and Rule 3 to permit packets with source IP 10.10.70.0/24, and
destination port TCP 80 (http service port) or TCP 443 (https service port).
Switch(config)#access-list ip 500 rule 2 permit logging disable sip 10.10.70.0 sip-mask
255.255.255.0 protocol 6 d-port 80 d-port-mask ffff
Switch(config)#access-list ip 500 rule 3 permit logging disable sip 10.10.70.0 sip-mask
255.255.255.0 protocol 6 d-port 443 d-port-mask ffff

4) Configure rule 4 and rule 5 to permit packets with source IP 10.10.70.0/24, and
destination port TCP53 or UDP 53.

Switch(config)#access-list ip 500 rule 4 permit logging disable sip 10.10.70.0 sip-mask
255.255.255.0 protocol 6 d-port 53 d-port-mask ffff

Configuration Guide

47

Configuring ACL

Configuration Example for ACL

Switch(config)#access-list ip 500 rule 5 permit logging disable sip 10.10.70.0 sip-amask
255.255.255.0 protocol 17 d-port 53 d-port-mask ffff

5) Configure rule 6 to deny packets with source IP 10.10.70.0/24.

Switch(config)#access-list ip 500 rule 2 deny logging disable sip 10.10.70.0 sip-mask
255.255.255.0

6) Bind ACL500 to port 1.

Switch(config)#access-list bind 500 interface gigabitEthernet 1/0/1
Switch(config)#end
Switch#copy running-config startup-config

Verify the Configurations
Verify the IP ACL 500:
Switch#show access-list 500
rule 1 permit logging disable sip 10.10.70.0 smask 255.255.255.0 dip 10.10.80.0 dmask
255.255.255.0
rule 2 permit logging disable sip 10.10.70.0 smask 255.255.255.0 protocol 6 d-port 80
rule 3 permit logging disable sip 10.10.70.0 smask 255.255.255.0 protocol 6 d-port 443
rule 4 permit logging disable sip 10.10.70.0 smask 255.255.255.0 protocol 6 d-port 53
rule 5 permit logging disable sip 10.10.70.0 smask 255.255.255.0 protocol 17 d-port 53
rule 6 deny logging disable sip 10.10.70.0 smask 255.255.255.0
Switch#show access-list bind
ACL ID

ACL NAME

Interface/VID

Direction Type

------

--------

-------------

--------

500

marketing

Gi1/0/1

Ingress

---Port

Configuration Guide

48

Configuring ACL

4

Appendix: Default Parameters

Appendix: Default Parameters
The default settings of ACL are listed in the following tables:
Table 4-1

MAC ACL

Parameter

Default Setting

Operation

Permit

User Priority

No Limit

Time-Range

No Limit

Table 4-2

IP ACL

Parameter

Default Setting

Operation

Permit

IP Protocol

All

DSCP

No Limit

IP ToS

No Limit

IP Pre

No Limit

Time-Range

No Limit

Table 4-3

IPv6 ACL

Parameter

Default Setting

Operation

Permit

Time-Range

No Limit

Table 4-4

Combined ACL

Parameter

Default Setting

Operation

Permit

Time-Range

No Limit

Configuration Guide

49

Configuring ACL

Table 4-5

Appendix: Default Parameters

Packet Content ACL

Parameter

Default Setting

Operation

Permit

Time-Range

No Limit

Table 4-6

Policy

Parameter

Default Setting

Mirroring

Disabled

Redirect

Disabled

Rate Limit

Disabled

QoS Remark

Disabled

Configuration Guide

50



Source Exif Data:
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
XMP Toolkit                     : Adobe XMP Core 5.4-c005 78.147326, 2012/08/23-13:03:03
Create Date                     : 2018:03:01 18:59:19+08:00
Metadata Date                   : 2018:03:01 19:00:30+08:00
Modify Date                     : 2018:03:01 19:00:30+08:00
Creator Tool                    : Adobe InDesign CC 2015 (Windows)
Instance ID                     : uuid:e5833def-ce10-4dbd-b8ab-152cd2bb2476
Original Document ID            : xmp.did:73e61f8d-0acf-b64b-825e-637dfa91f942
Document ID                     : xmp.id:593e2fd0-437e-b445-b5f9-f32a73837d29
Rendition Class                 : proof:pdf
Derived From Instance ID        : xmp.iid:733f606a-0feb-0c4d-981b-61dfeaf2d95a
Derived From Document ID        : xmp.did:67894495-4ef7-8140-b4c7-685996004f49
Derived From Original Document ID: xmp.did:73e61f8d-0acf-b64b-825e-637dfa91f942
Derived From Rendition Class    : default
History Action                  : converted
History Parameters              : from application/x-indesign to application/pdf
History Software Agent          : Adobe InDesign CC 2015 (Windows)
History Changed                 : /
History When                    : 2018:03:01 18:59:19+08:00
Format                          : application/pdf
Producer                        : Adobe PDF Library 15.0
Trapped                         : False
Page Count                      : 51
Creator                         : Adobe InDesign CC 2015 (Windows)
EXIF Metadata provided by EXIF.tools

Navigation menu