Switches: Access Control Lists

Follow

Topic

This article describes Access Control Lists (ACLs) and how to implement both MAC and IPv4 based ACLs on Open Mesh Switches.

Environment

Open Mesh Switches

Overview

Access Control Lists (ACLs) allow you to set rules that tell a switch how to make decisions about whether to allow or drop a given packet based on its MAC address or IP Address.

Open Mesh switches allow for multiple ACLs, with multiple rules (Access Control List Entries) within each ACL. Each ACL is identified by its name, and all the individual entries within the same ACL, use the same ACL name. Up to 3000 total ACL entries are supported, with up to 256 entries per ACL.

Procedure

1. Navigate to Manage -> Switches, and select a switch.

2. Click on Switch Settings, as seen in Figure 1.

Figure_1_Switch_Settings.png

Figure 1: Switch Settings

3. Click the Enable checkbox in the Access Control List row, as seen in Figure 2.

Figure_2__Enabling_ACL.pngFigure 2: Enabling ACL

4. Follow the respective settings for both MAC based and IPv4 based ACLs.

MAC Based ACLs

The following steps will guide you on creating a MAC ACL entry:

1. Click Add New above the MAC Based table, as seen in Figure 3.

Figure_3__The_Add_New_MAC_Based_ACL_button.pngFigure 3: The Add New MAC Based ACL button

2. Complete the following fields as seen in Figure 4.Figure_4_Create_MAC_ACL_Entry.png

Figure 4: Create MAC ACL Entry

A. New ACL name: Enter the name of your ACL. If an existing ACL is present on the switch, you can either add an additional entry to that ACL, or create a new ACL altogether. ACL names cannot be renamed once created. The ACL must be deleted and recreated. 
B. Sequence: Enter the sequence number of the ACL entry. Multiple entries in an ACL will be processed in order based on this number. The sequence number cannot be modified once created. The ACL must be deleted and recreated. 
C. Action: Specify whether packets associated with MAC addressed defined in this ACL will be permitted or denied. 
D. Source MAC: Specify the source MAC address of the incoming packet. Choose Custom to enter a specific MAC address. To specify a wildcard, use the '*' symbol.  Enter Any in the text field or leave the field following Custom blank to apply to all MAC addresses.
E. Destination MAC: Specify the destination MAC address of the incoming packet. Choose Custom to enter a specific MAC address. To specify a wildcard, use the '*' symbol.  Enter Any in the text field or leave the field following Custom blank to apply to all MAC addresses.

3. Click Create.

IPv4 Based ACLs

The following steps will guide you on creating a IPv4 ACL entry:

1. Click Add New above the IPv4 Based table, as seen in Figure 5.

Figure_5_The_Add_New_IPv4_Based_ACL_button.pngFigure 5: The Add New IPv4 Based ACL button

2. Complete the following fields as seen in Figure 6.

Figure_6_Create_IPv4_ACL_Entry.png

Figure 6: Create IPv4 ACL Entry

A. New ACL name: Enter the name of your ACL. If an existing ACL is present on the switch, you can either add an additional entry to that ACL, or create a new ACL altogether. ACL names cannot be renamed once created. The ACL must be deleted and recreated. 
B. Sequence: Enter the sequence number of the ACL entry. Multiple entries in an ACL will be processed in order based on this number. The sequence number cannot be modified once created. The ACL must be deleted and recreated.
C. Protocol: Specify if TCP, UDP, or all packets associated with the IP addresses defined in this ACL will be permitted or denied.
D. Action: Specify if packets associated with the IP addresse defined in this ACL will be permitted or denied. 
E. Source IP: Specify the source IP address of the incoming packet. Choose Custom to enter a specific IP address. To specify a wildcard, use the '*' symbol.  Enter Any in the text field or leave the field following Custom blank to apply to all IP addresses
F. Destination IP: Specify the destination IP address of the incoming packet. Choose Custom to enter a specific IP address. To specify a wildcard, use the '*' symbol.  Enter Any in the text field or leave the field following Custom blank to apply to all IP addresses.

3. Click Create.

 
 

Have more questions? Submit a request!