Configuring Basic ACL
In L2/L3, ACLs support destination-address-ipv4, destination-address-ipv6, destination-mac-address, destination-port, ether-type, ip, protocol, source-address-ipv4, source-address-ipv6, source-mac-address, source-port, and vlan-id.
TCP flags are also supported. These ACLs can be applied to physical ports, LAG ports, and VLAN interfaces. One ACL can be applied to multiple ports (the properties of the ports can be same or different), but only one port can be matched to one ACL.
It does not allow to configure different firewall filters to the same VLAN interface on ingress side or egress side.
- ACL can't filter layer 2 protocol packets, for example BPDU, LLDP, LACP and so on.
Packets with any of the following destination MACs will always be sent to CPU even if ACL policy has been configured to discard the packets.
01:80:c2:00:00:10
01:80:c2:00:00:20/ff:ff:ff:ff:ff:f0
01:80:c2:00:00:00/ff:ff:ff:ff:ff:f0
- Matching field protocol icmp of ACL rules on output interface are not supported on all the platforms.
- Matching fields destination-mac-address, ether-type, vlan, first-fragment, ip-fragment and source-mac-address of ACL rules on output interface inbound-control-plane are not supported on all the platforms.
- The match counter statistics information of the ACL filter is cleared when adding a new filter, modifying, or deleting an old filter. When there is a new packet, new match counter statistics information will be generated.
- set firewall filter sequence from protocol icmp and set firewall filter sequence from protocol igmp commands configure the firewall filter rules based on the ICMP or IGMP protocol type for only IPv4 traffic classification. To configure the firewall filter rule based on the ICMP or IGMP protocol type for IPv6 traffic classification, use the set firewall filter sequence from protocol others command with the protocol number.
When matching ACL rules, the system processes IPv6 rules (destination-address-ipv6/source-address-ipv6) with higher priority than other ACL rules. Even if the sequence number of IPv6 rule is larger than the other rules', the IPv6 rule will be processed first.
For example, confider the ACL rules shown below. The destination-address-ipv6 rule will be processed first then all the other rules will be processed.admin@XorPlus# set firewall filter MyFilter sequence 100 from destination-mac-address 44:44:44:44:44:44
admin@XorPlus# set firewall filter MyFilter sequence 100 then action discard
admin@XorPlus# set firewall filter MyFilter sequence 200 from destination-address-ipv6 2001::1/128
admin@XorPlus# set firewall filter MyFilter sequence 200 then action forwardTherefore, when planning ACL rules, it is recommended to configure IPv6 source/destination rules with smaller sequence numbers. If not then it is highly stressed to keep this exception in mind while trying to achieve the desired effect.
IPv6 ACL rules cannot be configured with the following rules at the same time:
Configuration with ether-type or destination-port is not supported on the ingress port.
Configuration with destination-mac-address or source-mac-address or ether-type is not supported on the egress port.
- Please note: There is always an implicit discard action rule at the end of all ACL rules.
- If all the ACL rules specify discard actions only, then add a forward all action rule at the end of the ACL to specify that all "unmatched" packets will be forwarded.
Example: set firewall filter bad-net sequence 999 then action forward
Configuring ACLs
admin@XorPlus# set firewall filter bad-net sequence 111 from source-address-ipv4 1.1.1.0/24 admin@XorPlus# set firewall filter bad-net sequence 111 then action discard admin@XorPlus# set firewall filter bad-net sequence 112 from source-address-ipv4 1.1.2.0/24 admin@XorPlus# set firewall filter bad-net sequence 112 then action discard admin@XorPlus# commit Waiting for merging configuration. Commit OK. Save done. admin@XorPlus# admin@XorPlus# set firewall filter bad-net input interface ge-1/1/1 admin@XorPlus# commit Waiting for merging configuration. Commit OK. Save done. admin@XorPlus# set firewall filter bad-net input interface ae1 admin@XorPlus# commit Waiting for merging configuration. Commit OK. Save done. admin@XorPlus#
When the switch receives a packet in ingress and egress, it will attempt to match ACLs by sequence number, with smaller values representing higher priorities. If the matched ACL's action is "forward" or "discard," the switch will forward or discard the packet and will not match the remaining ACLs. If there is no matching ACL, the packet will be dropped.
Configuring ACLs in VLANs
Every member port in the VLAN interface will be applied with the ACLs configured in the VLAN interface.
admin@XorPlus# set firewall filter bad-net sequence 221 from source-address-ipv4 1.1.1.0/24 admin@XorPlus# set firewall filter bad-net sequence 221 then action discard admin@XorPlus# set firewall filter bad-net sequence 222 from source-address-ipv4 1.1.2.0/24 admin@XorPlus# set firewall filter bad-net sequence 222 then action discard admin@XorPlus# commit Waiting for merging configuration. Commit OK. Save done. admin@XorPlus# set vlans vlan-id 2 l3-interface vlan-2 admin@XorPlus# set l3-interface vlan-interface vlan-2 admin@XorPlus# set firewall filter bad-net input vlan-interface vlan-2 admin@XorPlus# commit Waiting for merging configuration. Commit OK. Save done. admin@XorPlus#
Configuring ACL Discard TCP ACK
You can configure ACL TCP flags (ACK/FIN/PSH/RST/SYN/URG/TCP-ESTABLISHED/TCP-INITIAL) to specify what action (forward/discard) to perform on which packets (true/false).
admin@XorPlus# set firewall filter bad-net sequence 331 then action discard admin@XorPlus# set firewall filter bad-net sequence 331 from protocol tcp flags ack true admin@XorPlus# commit Waiting for merging configuration. Commit OK. Save done. admin@XorPlus# set firewall filter bad-net output interface ge-1/1/1 admin@XorPlus# commit Waiting for merging configuration. Commit OK. Save done. admin@XorPlus#
Configuring ACL logging for Match Statistics
admin@XorPlus# set firewall filter bad-net sequence 441 then action discard admin@XorPlus# set firewall filter bad-net sequence 441 from destination-address-ipv4 192.168.100.0/24 admin@XorPlus# commit Waiting for merging configuration. Commit OK. Save done. admin@XorPlus# set firewall filter bad-net input interface ge-1/1/1 admin@XorPlus# commit Waiting for merging configuration. Commit OK. Save done. admin@XorPlus# set firewall filter bad-net sequence 441 log interval 10 admin@XorPlus# commit Waiting for merging configuration. Commit OK. Save done. admin@XorPlus# admin@XorPlus# run syslog monitor on admin@XorPlus#
Check the Configuration
admin@XorPlus# run show filter Filter: bad-net Description: Sequence: 111 Description: match counter: 0 packets match-condition: source-address-ipv4: 1.1.1.0/24 action: discard forwarding_class: Sequence: 112 Description: match counter: 0 packets match-condition: source-address-ipv4: 1.1.2.0/24 action: discard forwarding_class: Input interface: ge-1/1/1 Filter: copp Description: Sequence: 10 Description: match counter: 0 packets match-condition: protocol: bpdu action: forward forwarding_class: bpdu-class ......
Copyright © 2024 Pica8 Inc. All Rights Reserved.