In L2/L3, ACLs support destination-address-ipv4, destination-address-ipv6, destination-mac-address, destination-port, ether-type, ip, protocol, source-address-ipv4, source-address-ipv6, source-mac-address, source-port, and vlan-id.
TCP flags are also supported. These ACLs can be applied to physical ports, LAG ports, and VLAN interfaces. One ACL can be applied to multiple ports (the properties of the ports can be same or different), but only one port can be matched to one ACL.
It does not allow to configure different firewall filters to the same VLAN interface on ingress side or egress side.
- ACL can't filter layer 2 protocol packets, for example BPDU, LLDP, LACP and so on.
Packets with any of the following destination MACs will always be sent to CPU even if ACL policy has been configured to discard the packets.
- Matching field protocol icmp of ACL rules on output interface are not supported on all the platforms.
- Matching fields destination-mac-address, ether-type, vlan, first-fragment, ip-fragment and source-mac-address of ACL rules on output interface inbound-control-plane are not supported on all the platforms.
- The match counter statistics information of the ACL filter is cleared when adding a new filter, modifying, or deleting an old filter. When there is a new packet, new match counter statistics information will be generated.
- set firewall filter sequence from protocol icmp and set firewall filter sequence from protocol igmp commands configure the firewall filter rules based on the ICMP or IGMP protocol type for only IPv4 traffic classification. To configure the firewall filter rule based on the ICMP or IGMP protocol type for IPv6 traffic classification, use the set firewall filter sequence from protocol others command with the protocol number.
When matching ACL rules, the system processes IPv6 rules (destination-address-ipv6/source-address-ipv6) with higher priority than other ACL rules. Even if the sequence number of IPv6 rule is larger than the other rules', the IPv6 rule will be processed first.
For example, confider the ACL rules shown below. The destination-address-ipv6 rule will be processed first then all the other rules will be processed.
admin@XorPlus# set firewall filter MyFilter sequence 100 from destination-mac-address 44:44:44:44:44:44
admin@XorPlus# set firewall filter MyFilter sequence 100 then action discard
admin@XorPlus# set firewall filter MyFilter sequence 200 from destination-address-ipv6 2001::1/128
admin@XorPlus# set firewall filter MyFilter sequence 200 then action forward
Therefore, when planning ACL rules, it is recommended to configure IPv6 source/destination rules with smaller sequence numbers. If not then it is highly stressed to keep this exception in mind while trying to achieve the desired effect.
IPv6 ACL rules cannot be configured with the following rules at the same time:
Configuration with ether-type or destination-port is not supported on the ingress port.
Configuration with destination-mac-address or source-mac-address or ether-type is not supported on the egress port.
- Please note: There is always an implicit discard action rule at the end of all ACL rules.
- If all the ACL rules specify discard actions only, then add a forward all action rule at the end of the ACL to specify that all "unmatched" packets will be forwarded.
Example: set firewall filter bad-net sequence 999 then action forward
When the switch receives a packet in ingress and egress, it will attempt to match ACLs by sequence number, with smaller values representing higher priorities. If the matched ACL's action is "forward" or "discard," the switch will forward or discard the packet and will not match the remaining ACLs. If there is no matching ACL, the packet will be dropped.
Configuring ACLs in VLANs
Every member port in the VLAN interface will be applied with the ACLs configured in the VLAN interface.
Configuring ACL Discard TCP ACK
You can configure ACL TCP flags (ACK/FIN/PSH/RST/SYN/URG/TCP-ESTABLISHED/TCP-INITIAL) to specify what action (forward/discard) to perform on which packets (true/false).