Programmable Internetworking & Communication Operating System Docs ... Click Spaces -> Space Directory to see docs for all releases ...
Page tree
Skip to end of metadata
Go to start of metadata

In L2/L3, ACLs support destination-address-ipv4, destination-address-ipv6, destination-mac-address, destination-port, ether-type, ip, protocol, source-address-ipv4, source-address-ipv6, source-mac-address, source-port, and vlan-id.

TCP flags are also supported. These ACLs can be applied to physical ports, LAG ports, and VLAN interfaces. One ACL can be applied to multiple ports (the properties of the ports can be same or different), but only one port can be matched to one ACL. 

  • It does not allow to configure different firewall filters to the same VLAN interface on ingress side or egress side.

  • ACL can't filter layer 2 protocol packets, for example BPDU, LLDP, LACP and so on. 
  • Packets with any of the following destination MACs will always be sent to CPU even if ACL policy has been configured to discard the packets.

    01:80:c2:00:00:10
    01:80:c2:00:00:20/ff:ff:ff:ff:ff:f0
    01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0

  • IPv6 matching fields destination-address-ipv6 and source-address-ipv6 of ACL rules on input interface are supported only on 32 series switches.
  • IPv6 matching fields destination-address-ipv6 and source-address-ipv6 of ACL rules on output interface are not supported on all the platforms.

  • Matching field protocol icmp of ACL rules on output interface are not supported on all the platforms.

  • Matching fields destination-mac-address, ether-type, vlan, first-fragment, ip-fragment and source-mac-address of ACL rules on output interface inbound-control-plane are not supported on all the platforms.
  • The match counter statistics information of the ACL filter is cleared when adding a new filter, modifying, or deleting an old filter. When there is a new packet, new match counter statistics information will be generated.
  • set firewall filter sequence from protocol icmp and set firewall filter sequence from protocol igmp commands configure the firewall filter rules based on the ICMP or IGMP protocol type for only IPv4 traffic classification. To configure the firewall filter rule based on the ICMP or IGMP protocol type for IPv6 traffic classification, use the set firewall filter sequence from protocol others command with the protocol number.

 

Configuring ACLs

admin@XorPlus# set firewall filter bad-net sequence 111 from source-address-ipv4 1.1.1.0/24 
admin@XorPlus# set firewall filter bad-net sequence 111 then action discard 
admin@XorPlus# set firewall filter bad-net sequence 112 from source-address-ipv4 1.1.2.0/24 
admin@XorPlus# set firewall filter bad-net sequence 112 then action discard 
admin@XorPlus# commit 
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus#
admin@XorPlus# set firewall filter bad-net input interface ge-1/1/1 
admin@XorPlus# commit 
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set firewall filter bad-net input interface ae1 
admin@XorPlus# commit 
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# 

When the switch receives a packet in ingress and egress, it will attempt to match ACLs by sequence number, with smaller values representing higher priorities. If the matched ACL's action is "forward" or "discard," the switch will forward or discard the packet and will not match the remaining ACLs. If there is no matching ACL, the packet will be dropped. 


Configuring ACLs in VLANs

Every member port in the VLAN interface will be applied with the ACLs configured in the VLAN interface.

admin@XorPlus# set firewall filter bad-net sequence 221 from source-address-ipv4 1.1.1.0/24 
admin@XorPlus# set firewall filter bad-net sequence 221 then action discard 
admin@XorPlus# set firewall filter bad-net sequence 222 from source-address-ipv4 1.1.2.0/24 
admin@XorPlus# set firewall filter bad-net sequence 222 then action discard 
admin@XorPlus# commit 
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set vlans vlan-id 2 l3-interface vlan-2
admin@XorPlus# set vlan-interface interface vlan-2
admin@XorPlus# set firewall filter bad-net input vlan-interface vlan-2
admin@XorPlus# commit 
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# 


Configuring ACL Discard TCP ACK

You can configure ACL TCP flags (ACK/FIN/PSH/RST/SYN/URG/TCP-ESTABLISHED/TCP-INITIAL) to specify what action (forward/discard) to perform on which packets (true/false).

admin@XorPlus# set firewall filter bad-net sequence 331 then action discard 
admin@XorPlus# set firewall filter bad-net sequence 331 from protocol tcp flags ack true
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set firewall filter bad-net output interface ge-1/1/1 
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# 


Configuring ACL logging for Match Statistics

admin@XorPlus# set firewall filter bad-net sequence 441 then action discard 
admin@XorPlus# set firewall filter bad-net sequence 441 from destination-address-ipv4 192.168.100.0/24
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set firewall filter bad-net input interface ge-1/1/1
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus# set firewall filter bad-net sequence 441 log interval 10
admin@XorPlus# commit
Waiting for merging configuration.
Commit OK.
Save done.
admin@XorPlus#
admin@XorPlus# run syslog monitor on
admin@XorPlus# 

 

Check the Configuration

admin@XorPlus# run show filter
Filter: bad-net
           Description:
           Sequence: 111
               Description:
               match counter:  0 packets
               match-condition:
                  source-address-ipv4:                 1.1.1.0/24
               action: discard
               forwarding_class: 
           Sequence: 112
               Description:
               match counter:  0 packets
               match-condition:
                  source-address-ipv4:                 1.1.2.0/24
               action: discard
               forwarding_class:
              Input interface: ge-1/1/1
Filter: copp
           Description:
           Sequence: 10
               Description:
               match counter:  0 packets
               match-condition:
                  protocol:                 bpdu
               action: forward
               forwarding_class: bpdu-class
              ......
  • No labels