Access Control

The Access Control List (ACL) feature is part of the device security mechanism. ACLs enable network managers to define patterns (actions and rules) for ingress traffic. Packets entering the device on a port with an active ACL, are either admitted or denied entry. If they are denied entry, the port can be disabled.

An ACL is a ordered list of classification rules and actions. Each single classification rule, together with its action, is called an Access Control Element (ACE). An ACL must have at least one ACE. Each ACE is made up of filters that determine traffic classifications and associated actions. A single ACL may contain one or more ACE, which is matched against the content of incoming frames. Either a DROP or FORWARD action is applied to frames whose content matches the pattern.

The order of the ACEs within the ACL is significant, since they are applied in a first-fit manner. The ACEs are processed in a sequential manner, starting with the first ACE. When a packet matches an ACE classification, the ACE's action is taken and then that ACL's processing is stopped. If the packet does not match, the next ACE is processed. If all ACEs of an ACL have been processed without finding a match and if another ACL exists, it is processed in a similar manner (ACLs are not ordered in a way). If no match is found to any ACE in all relevant ACLs, the packet is dropped (as a default action). The default drop action requires explicitly enabling all permitted traffic, including management traffic, such as telnet, HTTP or SNMP that is directed to the router itself.

ACLs can be used both for security, for example by permitting or denying certain traffic flows, and for traffic classification and prioritization in the QoS advanced mode.

There can only be one ACL per port with the sole exception that it is possible to associate both an IP-based ACL and an IPv6-based ACL to a single port. To associate more than one ACL with a port, a policy map must be used (see the Policy Table Page). The following types of ACLs may be defined (depending on which part of the frame header is examined):

MAC ACL — Examines L2 fields only, described in Defining MAC-based ACLs
IP ACL — Examines the L3 layer of IP frames, described in Defining IP-based ACLs
IPv6 ACL — Applicable to IPv6 packet types, described in Defining IPv6-based ACLs

If permitted, the frame is implicitly defined as a flow with the name of the ACL that gave it permission. In advanced QoS, these frames can be referred to and QoS can be applied to these frames (see QoS Advanced Mode).

Create ACL Workflow

To create ACLs and associate them with an interface, perform the following:

Create one or more of the following types of ACLs:
MAC-based ACL, using the MAC-based ACL Page and the MAC-based ACE Page
IP-based ACL, using the IP-based ACL Page and the IP-based ACE Page
IPv6-based ACL, using the IPv6-based ACL Page and the IPv6-based ACE Page
Associate the ACL with interfaces, using the ACL Binding Page

Modify ACL Workflow

An ACL may only be modified if it is not associated with an interface. The following describes the process of unbinding an ACL in order to modify it:

If the ACL does not belong to a class map, but it has been associated with an interface, unbind it from the interface using the ACL Binding Page.
If the ACL is part of a class map that is contained in a policy that is bound to an interface, you must perform the chain of unbinding as follows:
The policy containing the class map must be unbound from the interface using the Policy Binding Page.
The class map containing the ACL must be deleted from the policy using the Policy Table Page (Edit button).
The class map containing the ACL must be deleted (using Class Map Page).

Only then can the ACL be modified, as described in the following sections.