Configuring an ACL

Owned by Tracy Yang
Nov 18, 2024
1 min read

Overview

ACL (Access Control List) is packet filtering rules through defining conditions of source addresses, destination addresses, interfaces, etc. The switch permits or denies packets according to the configured action of ACL rules.

ACL can manage network access behaviors, prevent network attacks, and improve bandwidth utilization through accurately identifying and controlling packets, which ensures network security and service quality.

Procedure

Step1       Set the sequence number of priority.

set firewall filter <filter-name> sequence <sequence-number>

  • sequence <sequence-number>: specifies the sequence number. Smaller values represent higher priorities. The range is 0-9999.

set firewall filter <filter-name> sequence <sequence-number>

  • sequence <sequence-number>: specifies the sequence number. Smaller values represent higher priorities. The range is 0-9999.

Step2       Specify the source address and source port to filter matched packets.

set firewall filter <filter-name> sequence <sequence-number> from {source-address-ipv4 <address/prefix-length> | source-address-ipv6 < address/prefix-length > | source-mac-address <mac-address> | source-port <port-number>}

  • source-port <port-number>: specifies the source port number or port number range, for example, 5000 or 7000..7050.

set firewall filter <filter-name> sequence <sequence-number> from {source-address-ipv4 <address/prefix-length> | source-address-ipv6 < address/prefix-length > | source-mac-address <mac-address> | source-port <port-number>}

  • source-port <port-number>: specifies the source port number or port number range, for example, 5000 or 7000..7050.

Step3       Specify the execution action for packets matching the filter.

set firewall filter <filter-name> sequence <sequence-number> then action {discard | forward}

  • action {discard | forward}: discards or forwards matched packets.

set firewall filter <filter-name> sequence <sequence-number> then action {discard | forward}

  • action {discard | forward}: discards or forwards matched packets.

Step4       Specify the physical interface, VLAN interface or routed interface to filter matched incoming and egress packets.

set firewall filter <filter-name> input {interface <interface-name > | vlan-interface <vlan-interface-name> | routed-interface <routed-interface-name>}

set firewall filter <filter-name> output {interface <interface-name> | vlan-interface <vlan-interface-name> | routed-interface <routed-interface-name>}

set firewall filter <filter-name> input {interface <interface-name > | vlan-interface <vlan-interface-name> | routed-interface <routed-interface-name>}

set firewall filter <filter-name> output {interface <interface-name> | vlan-interface <vlan-interface-name> | routed-interface <routed-interface-name>}

Step5       Commit the configuration.

commit

commit

Verifying the Configuration

After the configuration is completed, in the configuration mode, use run show filter <filter-name> [sequence <sequence-number>] command to view the matching condition of specified filter.

Other Configurations

To delete the configured filter, use delete firewall filter<filter-name> command.

Copyright © 2024 Pica8 Inc. All Rights Reserved.