The ACL Implement packet filtering by configuring matching rules and processing operations for packets. The ACL can effectively prevent illegal users from accessing the network, and can also control traffic and save network resources. Packet matching rules defined by ACL can also be referenced by other functions that need to differentiate traffic, such as the definition of traffic classification rules in QoS. The ACL classifies packets through a series of matching conditions, which can be SMAC, DMAC, SIP, DIP, etc. According to the matching conditions, ACLs can be divided into the following types: Standard IP-based ACL: Make rules based only on the source IP address of the packet. Extended IP-based ACL: formulate rules based on the source IP address, destination IP address, ETYPE, and protocol of the data packet. MAC-based ACL: formulate rules based on the source MAC address and destination MAC address of the data packet. IPV6-based ACL: develop rules based on the source IPV6 address, destination IPV6 address, protocol, etc. of the data packet.<\/p>\n
SWITCH(config)# ip-access-list {<1-99> | <1300-1999>} {permit | deny} {host SIPADDR | SIPADDR SIPADDRMASK | any}<\/code><\/pre>\nSWITCH(config)# no ip-access-list {<1-99> | <1300-1999>}<\/code><\/pre>\nCreate \/delete standard IP-based ACL rules<\/p>\n
SWITCH(config)# ip-access-list standard {<1-99> | <1300-1999> | NAME}<\/code><\/pre>\nSWITCH(config)# no ip-access-list standard {<1-99> | <1300-1999> | NAME}<\/code><\/pre>\nCreate\/delete standard IP ACL and switch to IP standard ACL mode<\/p>\n
SWITCH(config-std-acl)# [SN] {permit | deny} {host SIPADDR | SIPADDR SIPADDRMASK | any}<\/code><\/pre>\nSWITCH( config-std-acl )# no {permit | deny} {host SIPADDR | SIPADDR SIPADDRMASK | any}<\/code><\/pre>\nSWITCH( config-std-acl )# no SN<\/code><\/pre>\nCreate\/delete a standard IP ACL rule SN: Serial number of each rule (1-2147483647)<\/p>\n
Configure IP Extended ACL<\/h2>\n\n- Configure IP-based Extended ACL Rules<\/li>\n<\/ul>\n
SWITCH(config)# ip-access-list {<100-199> | <2000-2699>} {permit | deny} PROTOCOL {host SIPADDR | SIPADDR SIPADDRMASK | any} [eq SPORT] {host | DIPADDR DIPADDRMASK | any} [eq DPORT]<\/code><\/pre>\nSWITCH(config)# no ip-access-list {<100-199> | <2000-2699>}<\/code><\/pre>\nCreate \/delete IP-based extended ACL rules PROTOCOL list: <0-255>: Specify the ID of the protocol any: any protocol message gre: GRE message icmp: ICMP message igmp: IGMP message ip: IPv4 message (0x4) ipcomp: IPComp message ospf: OSPF message pim: PIM message rsvp: RSVP message tcp: TCP message udp: UDP message vrrp: VRRP message The eq option is only available for TCP and UDP protocols. For the following port number names, you can use the port number name or port number to specify a specific port: TCP port number list: <0-65535> Specify port number bgp (179) ftp (21) ftp-data (20) Login (513) pop2 (109) pop3 (110) smtp (25) telnet (23) www (80) UDP port number list: <0-65535> Specify port number bootpc (68) boots (67) domain (53) echo (7) rip (520) snmp (161) syslog (514) tftp (69)<\/p>\n
SWITCH(config)# ip-access-list extended {<100-199> | <2000-2699> | NAME}<\/code><\/pre>\nSWITCH(config)# no ip-access-list extended {<100-199> | <2000-2699> | NAME}<\/code><\/pre>\nCreate\/delete extended IP ACL and switch to IP extended ACL mode<\/p>\n
SWITCH(config-ext-acl)# [SN] {permit | deny} PROTOCOL {host SIPADDR | SIPADDR SIPADDRMASK | any} [eq SPORT] {host DIPADDR | DIPADDR DIPADDRMASK | any} [eq DPORT]<\/code><\/pre>\nSWITCH( config-ext-acl )# no {permit | deny} PROTOCOL {host SIPADDR | SIPADDR SIPADDRMASK | any} [eq SPORT] {host DIPADDR | DIPADDR DIPADDRMASK | any} [eq DPORT]<\/code><\/pre>\nSWITCH( config-ext-acl )# no SN<\/code><\/pre>\nCreate\/delete an extended IP ACL rule SN: Serial number of each rule (1-2147483647) PROTOCOL list: <0-255>: Specify the ID of the protocol any: any protocol message gre: GRE message icmp: ICMP message igmp: IGMP message ip: IPv4 message (0x4) ipcomp: IPComp message ospf: OSPF message pim: PIM message rsvp: RSVP message tcp: TCP message udp: UDP message vrrp: VRRP message For the following port number names, you can use the port number name or port number to specify a specific port: eq (TCP and UDP only) TCP port number list: <0-65535> Specify port number bgp (179) ftp (21) ftp-data (20) Login (513) pop2(109) pop3(110) smtp (25) telnet (23) www (80) UDP port number list: <0-65535> Specify port number bootpc (68) boots (67) domain (53) echo (7) rip (520) snmp (161) syslog (514) tftp (69)<\/p>\n
Configure MAC ACL<\/h2>\n\n- Configure MAC-based ACL Rules<\/li>\n<\/ul>\n
SWITCH(config)# mac-access-list <200-699> {permit | deny} {host SMAC | SMAC SMACMASK | any} {host DMAC | DMAC DMACMASK | any} [ethertype ETYPE] [cos VALUE] SWITCH(config)# no mac-access-list <200-699><\/code><\/pre>\nCreate\/delete MAC-based ACL rules ethertype: Ethernet protocol type (0x05DD-0xFFFF) cos: priority value of the message (0-7)<\/p>\n
SWITCH(config)# mac-access-list {<200-699> | NAME}<\/code><\/pre>\nSWITCH(config)# no mac-access-list {<200-699> | NAME}<\/code><\/pre>\nCreate\/delete standard MAC ACL and switch to MAC ACL mode<\/p>\n
SWITCH(config-mac-acl)# [SN] {permit | deny} {host SMAC | SMAC SMACMASK | any} {host DMAC | DMAC DMACMASK | any} [ethertype ETYPE] [cos VALUE]<\/code><\/pre>\nSWITCH( config-mac-acl )# no {permit | deny} {host SMAC | SMAC SMACMASK | any} {host DMAC | DMAC DMACMASK | any} [ethertype ETYPE] [cos VALUE]<\/code><\/pre>\nSWITCH( config-mac-ext-acl )# no SN<\/code><\/pre>\nCreate\/delete a MAC ACL rule SN: Serial number of each rule (1-2147483647) ethertype: Ethernet protocol type (0x05DD-0xFFFF) cos: priority value of the message (0-7) Configure IPv6 ACL<\/p>\n
SWITCH(config)# ipv6-access-list {NAME}<\/code><\/pre>\nSWITCH(config)# no ipv6-access-list {NAME}<\/code><\/pre>\nCreate\/delete IPV6 ACL and switch to IPV6 ACL mode<\/p>\n
SWITCH(config-ipv6-acl)# [SN] {permit | deny} [PROTOCOL] {SOURCE-IPV6-PREFIX\/PREFIX-LENGTH | any | host SOURCE-IPV6-ADDRESS} [eq SPORT] {DESTINATION- IPV6-PREFIX \/ PREFIX-LENGTH | any | host DESTINATION-IPV6-ADDRESS} [eq DPORT]<\/code><\/pre>\nSWITCH(config-ipv6-acl)# no {permit | deny} [PROTOCOL] {SOURCE-IPV6-PREFIX\/PREFIX-LENGTH | any | host SOURCE-IPV6-ADDRESS} [eq SPORT] {DESTINATION- IPV6-PREFIX \/ PREFIX-LENGTH | any| host DESTINATION-IPV6-ADDRESS} [eq DPORT]<\/code><\/pre>\nSWITCH(config-ipv6-acl)# no SN<\/code><\/pre>\nCreate\/delete an IPV6 ACL rule SN: Serial number of each rule (1-2147483647) PROTOCOL list: <0-255>: Specify the ID of the protocol any: any protocol message icmp: ICMP message tcp: TCP message udp: UDP message For the following port number names, you can use the port number name or port number to specify a specific port: eq (TCP and UDP only) TCP port number list: <0-65535> Specify port number bgp (179) ftp (21) ftp-data (20) login (513) pop2 (109) pop3 (110) smtp (25) telnet (23) www (80) UDP port number list: <0-65535> Specify port number biff (512) bootpc (68) boots (67) discard (9) dnsix (195) domain 53) echo (7) Isakmp (500) ntp (123) pim-auto-rp (496) rip (520) snmp (161) snmptrap (162) tftp (69)<\/p>\n
Note<\/h2>\n
\u2726 Up to 128 rules can be configured under a single ACL-ID; \u2726 Mask inversion, if it matches an IP address in the 192.168.1.0\/24 range, 192.168.1.0 0.0.0.255 should be configured; \u2726 The name of the ACL can be named, and the first character cannot be a number; \u2726 MAC ACL does not take effect on IPV6 packets; \u2726 The final default configuration of each ACL is deny any item;<\/p>\n
Other Configuration Items<\/h2>\n\n- Configure ACL Counters<\/li>\n<\/ul>\n
If the user wants to start the packet matching counting function on the access list, please enable it in the access list.<\/p>\n
SWITCH(config-std-acl)# counter enable<\/code><\/pre>\nSWITCH(config-std-acl)# no counter enable<\/code><\/pre>\nEnable \/ disable ACL counter in all ACL modes<\/p>\n
SWITCH# clear access-list counter NAME<\/code><\/pre>\nClear the ACL count value<\/h2>\n\n- Configure ACL Descriptor<\/li>\n<\/ul>\n
SWITCH(config-std-acl)# description TEXT<\/code><\/pre>\nSWITCH(config-std-acl)# no description<\/code><\/pre>\nConfigure\/delete ACL descriptors TEXT: descriptor (up to 64 characters)<\/p>\n
Configurable in all ACL modes<\/h2>\n\n- Trigger ACL Sequence Number Reordering<\/li>\n<\/ul>\n
SN is the sequence number of the rule entry, and the value range is [1,2147483647]. This sequence number determines the priority of this rule entry in the access list. The smaller the sequence number, the greater the priority. The packet with the higher priority will be matched first. If the sequence number is not specified when configuring the matching rule, the system will automatically Assign a sequence number, the starting value of the sequence number is 10, and the increment value is 10.<\/p>\n
SWITCH(config-std-acl)# resequence START STEP<\/code><\/pre>\nSWITCH(config-std-acl)# no resequence<\/code><\/pre>\nReorder serial numbers<\/h2>\n
START: starting position (default value: 10, range <1-2147483647>) STEP: step size (default value: 10, range <1-2147483647>) Configurable in all ACL modes<\/p>\n
Note<\/h2>\n
\u2726 The serial number is unique; \u2726 When configuring an ACL entry, if the sequence number is not specified, it will be specified in steps after the current maximum sequence number (rules cannot be added if it exceeds the set range);<\/p>\n
\n- Applying ACL to an Interface<\/li>\n<\/ul>\n
SWITCH(config-if)# access-group ACLNAME {in | out}<\/code><\/pre>\nSWITCH(config-if)# no access-group ACLNAME {in | out}<\/code><\/pre>\nConfigure\/delete ACL applied to the port<\/p>\n
Note<\/h2>\n
\u2726 When the ACL has been applied to the port or configured as a QOS flow matching rule, if you need to add or delete a rule, you need to first unapply it from the interface or QOS flow matching rule; \u2726 The aggregation port does not support ACL application in the out direction, and the member ports of the aggregation port do not support ACL application; \u2726 ACL applications not supported by VLAN ports;<\/p>\n
Examples<\/h2>\n
Case 1: Filter the incoming packets of port gigabitEthernet0\/1, release the packets with SIP 192.168.1.0\/24, and discard other packets.<\/p>\n
\n- Configure ACL rules:<\/li>\n<\/ul>\n
SWITCH(config)#ip-access-list 1 permit 192.168.1.0 0.0.0.255<\/code><\/pre>\nor<\/p>\n
SWITCH(config)#ip-access-list standard 1<\/code><\/pre>\nSWITCH(config-std-acl)#permit 192.168.1.0 0.0.0.255<\/code><\/pre>\nSWITCH(config)#interface gigabitEthernet0\/1<\/code><\/pre>\nSWITCH(config-if)#access-group 1 in<\/code><\/pre>\nCase 2: Filter the entry packets of port gigabitEthernet0\/1 and reject the packets sent by the host IP 192.168.1.2 with the packet type TCP and the source port number 40. Other packets will pass.<\/p>\n
SWITCH(config)#ip-access-list 100 deny tcp host 192.168.1.2 eq 40 any<\/code><\/pre>\nSWITCH(config)#ip-access-list 100 permit any any any<\/code><\/pre>\nor<\/p>\n
SWITCH(config)#ip-access-list extended 100<\/code><\/pre>\nSWITCH(config-ext-acl)#deny tcp host 192.168.1.2 eq 40 any<\/code><\/pre>\nSWITCH(config-ext-acl)#permit any any any<\/code><\/pre>\nSWITCH(config)#interface gigabitEthernet0\/1<\/code><\/pre>\nSWITCH(config-if)#access-group 100 in<\/code><\/pre>\nCase 3: Filter the export packets of port gigabitEthernet0\/1 and reject the Ethernet type 0x804 packets sent by the host with MAC 0000.0047.5124. Other packets will pass.<\/p>\n
SWITCH(config)# mac-access-list 200 deny host 0000.0047.5124 any ethertype 0x804<\/code><\/pre>\nSWITCH(config)# mac-access-list 200 permit any any<\/code><\/pre>\nor<\/p>\n
SWITCH(config)#mac-access-list 200<\/code><\/pre>\nSWITCH(config-mac-acl)#deny host 0000.0047.5124 any ethertype 0x804<\/code><\/pre>\nSWITCH(config-mac-acl)#permit any any<\/code><\/pre>\nSWITCH(config)#interface gigabitEthernet0\/1<\/code><\/pre>\nSWITCH(config-if)#access-group 200 out<\/code><\/pre>\nCase 4: Filter the ingress packets of port gigabitEthernet0\/1 , release the packets with the IPv6 address of the destination host::D0F8:1900:9F51:0000 , and discard other packets.<\/p>\n
SWITCH(config)#ipv6-access-list ip6-acl<\/code><\/pre>\nSWITCH(config-ipv6-acl)#permit any any host ::D0F8:1900:9F51:0000<\/code><\/pre>\nSWITCH(config)#interface gigabitEthernet0\/1<\/code><\/pre>\nSWITCH(config-if)#access-group ip6-acl in<\/code><\/pre>\nCase 5: Filter the incoming packets of port gigabitEthernet0\/1, release the packets with SIP 192.168. 2. 1, discard other packets , and turn on the counter to view packet statistics .<\/p>\n
SWITCH(config)#ip-access-list standard 1<\/code><\/pre>\nSWITCH(config-std-acl)#permit host 192.168.2.1<\/code><\/pre>\nSWITCH(config-std-acl)#counter enable<\/code><\/pre>\nSWITCH(config)#interface gigabitEthernet0\/1<\/code><\/pre>\nSWITCH(config-if)#access-group 1 in<\/code><\/pre>\nSWITCH#show access-list 1<\/code><\/pre>\nip-access-list standard 1 10 permit host 192.168.2.1(10 match) deng any (10 match)<\/p>\n
Display Information<\/h2>\n\n- Display ACL Information<\/li>\n<\/ul>\n
SWITCH#show access-list 1<\/code><\/pre>\nip-access-list standard 1 10 permit host 1.1.1.1 deny any<\/p>\n
SWITCH#show access-list 200<\/code><\/pre>\nmac-access-list 200 10 permit host 0001.0002.0003 any deny any<\/p>\n
SWITCH#show access-list ip6-acl<\/code><\/pre>\nipv6-access-list ip6-acl 10 permit tcp host a::1 eq bgp any deny any<\/p>\n","protected":false},"excerpt":{"rendered":"
Networking \u203a Switching \u203a Edge \u203a Synapse<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":6349,"menu_order":18,"comment_status":"open","ping_status":"closed","template":"","doc_tag":[115,119,116],"class_list":["post-6367","docs","type-docs","status-publish","hentry","doc_tag-connexite","doc_tag-network","doc_tag-synapse-cli-documentation","no-post-thumbnail"],"acf":[],"_links":{"self":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6367","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=6367"}],"version-history":[{"count":1,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6367\/revisions"}],"predecessor-version":[{"id":6415,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6367\/revisions\/6415"}],"up":[{"embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/docs\/6349"}],"wp:attachment":[{"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=6367"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/docs.connexite.co.uk\/index.php\/wp-json\/wp\/v2\/doc_tag?post=6367"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}