In L2/L3, ACLs support destination-address-ipv4, destination-address-ipv6, destination-mac-address, destination-port, ether-type, ip, protocol, source-address-ipv4, source-address-ipv6, source-mac-address, source-port, and vlan-id.
TCP flags are also supported. These ACLs can be applied to physical ports, LAG ports, and VLAN interfaces. One ACL can be applied to multiple ports (the properties of the ports can be same or different), but only one port can be matched to one ACL.
It does not allow to configure different firewall filters to the same VLAN interface on ingress side or egress side.
- ACL can't filter layer 2 protocol packets, for example BPDU, LLDP, LACP and so on.
Packets with any of the following destination MACs will always be sent to CPU even if ACL policy has been configured to discard the packets.
- IPv6 matching fields destination-address-ipv6 and source-address-ipv6 of ACL rules on input interface are supported only on 32 series switches.
IPv6 matching fields destination-address-ipv6 and source-address-ipv6 of ACL rules on output interface are not supported on all the platforms.
Matching field protocol icmp of ACL rules on output interface are not supported on all the platforms.
- Matching fields destination-mac-address, ether-type, vlan, first-fragment, ip-fragment and source-mac-address of ACL rules on output interface inbound-control-plane are not supported on all the platforms.
- The match counter statistics information of the ACL filter is cleared when adding a new filter, modifying, or deleting an old filter. When there is a new packet, new match counter statistics information will be generated.
- set firewall filter sequence from protocol icmp and set firewall filter sequence from protocol igmp commands configure the firewall filter rules based on the ICMP or IGMP protocol type for only IPv4 traffic classification. To configure the firewall filter rule based on the ICMP or IGMP protocol type for IPv6 traffic classification, use the set firewall filter sequence from protocol others command with the protocol number.
When the switch receives a packet in ingress and egress, it will attempt to match ACLs by sequence number, with smaller values representing higher priorities. If the matched ACL's action is "forward" or "discard," the switch will forward or discard the packet and will not match the remaining ACLs. If there is no matching ACL, the packet will be dropped.
Configuring ACLs in VLANs
Every member port in the VLAN interface will be applied with the ACLs configured in the VLAN interface.
Configuring ACL Discard TCP ACK
You can configure ACL TCP flags (ACK/FIN/PSH/RST/SYN/URG/TCP-ESTABLISHED/TCP-INITIAL) to specify what action (forward/discard) to perform on which packets (true/false).
Configuring ACL logging for Match Statistics