ACLs are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources. ACLs can block any unwarranted attempts to reach network resources.
The WAP device supports up to 50 IPv4, IPv6, and MAC ACL rules.
IP ACLs classify traffic for Layers 3 and 4.
Each ACL is a set of rules applied to traffic received by the WAP device. Each rule specifies whether the contents of a given field should be used to permit or deny access to the network. Rules can be based on various criteria and may apply to one or more fields within a packet, such as the source or destination IP address, the source or destination port, or the protocol carried in the packet.
Note There is an implicit deny at the end of every rule created. To avoid deny all, we strongly recommend that you add a permit rule within the ACL to allow traffic.
MAC ACLs are Layer 2 ACLs. You can configure the rules to inspect fields of a frame such as the source or destination MAC address, the VLAN ID, or the class of service. When a frame enters the WAP device port, the WAP device inspects the frame and checks the ACL rules against the content of the frame. If any of the rules match the content, a permit or deny action is taken on the frame.
Use the ACL Rule page to configure the ACLs and rules, and then apply the rules to a specified interface.
2. Specify a name for the ACL.
3. Select the type of ACL to add.
6. Configure the match criteria for the rules.
7. Use the ACL Association page to apply the ACL to one or more interfaces.
2. In the ACL Name field, enter the name to identify the ACL. The name can contain from 1 to 31 alphanumeric and special characters. Spaces are not allowed.
3. Choose IPv4 as the type of ACL from the ACL Type list. IPv4 ACLs control access to network resources based on Layer 3 and Layer 4 criteria.
5. In the ACL Rule Configuration area, configure these ACL rule parameters:
• ACL Name - ACL Type—Choose the ACL to configure with the new rule.
• Rule—Choose New Rule to configure a new rule for the selected ACL. When an ACL has multiple rules, the rules are applied to the packet or frame in the order in which you add them to the ACL. There is an implicit deny all rule as the final rule.
• Action—Choose whether the ACL rule permits or denies an action.
• When you choose Permit, the rule allows all traffic that meets the rule criteria to enter the WAP device. Traffic that does not meet the criteria is dropped.
• When you choose Deny, the rule blocks all traffic that meets the rule criteria from entering the WAP device. Traffic that does not meet the criteria is forwarded unless this rule is the final rule. Because there is an implicit deny all rule at the end of every ACL, traffic that is not explicitly permitted is dropped.
• Match Every Packet—If enabled, the rule, which either has a permit or deny action, matches the frame or packet regardless of its contents. If you enable this feature, you cannot configure any additional match criteria. This option is selected by default for a new rule. You must disable the option to configure other match fields.
• Protocol—Uses a Layer 3 or Layer 4 protocol match condition based on the value of the IP Protocol field in IPv4 packets or the Next Header field in IPv6 packets. You can choose one of these options or choose Any:
– Select From List—Choose one of these protocols: IP, ICMP, IGMP, TCP, or UDP.
– Match to Value—Enter a standard IANA-assigned protocol ID from 0 to 255. Choose this method to identify a protocol not listed by name in the Select From List.
• Source IP—Requires the packet's source IP address to match the address defined in the appropriate fields.
– Source IP Address—Enter the IP address to apply this criteria.
– Wild Card Mask—Enter the source IP address wildcard mask. The wildcard mask determines which bits are used and which bits are ignored. A wildcard mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all bits are important. This field is required when Source IP Address is checked.
A wildcard mask is basically the inverse of a subnet mask. For example, to match the criteria to a single host address, use a wildcard mask of 0.0.0.0. To match the criteria to a 24-bit subnet (for example, 192.168.10.0/24), use a wildcard mask of 0.0.0.255.
• Source Port—Includes a source port in the match condition for the rule. The source port is identified in the datagram header.
– Select From List—Choose the keyword associated with the source port to match: ftp, ftpdata, http, smtp, snmp, telnet, tftp, www. Each of these keywords translates into its equivalent port number.
– Match to Port—Enter the IANA port number to match to the source port identified in the datagram header. The port range is 0 to 65535 and includes three different types of ports:
1024 to 49151-Registered Ports
49152 to 65535-Dynamic and/or Private Ports
– Mask—Enter the port mask. The mask determines which bits are used and which bits are ignored. Only the hexadecimal digit (0 - 0xFFFF) is allowed. 0 means the bit matters and 1 means that we should ignore this bit.
• Destination IP—Requires a packet's destination IP address to match the address defined in the appropriate fields.
– Destination IP Address—Enter an IP address to apply this criteria.
Wild Card Mask—Enter the destination IP address wildcard mask. The wildcard mask determines which bits are used and which bits are ignored. A wildcard mask of 255.255.255.255 indicates that no bit is important. A wildcard of 0.0.0.0 indicates that all bits are important. This field is required when Source IP Address is selected.
A wildcard mask is basically the inverse of a subnet mask. For example, to match the criteria to a single host address, use a wildcard mask of 0.0.0.0. To match the criteria to a 24-bit subnet (for example, 192.168.10.0/24), use a wildcard mask of 0.0.0.255.
• Destination Port—Includes a destination port in the match condition for the rule. The destination port is identified in the datagram header.
– Select From List—Choose the keyword associated with the destination port to match: ftp, ftpdata, http, smtp, snmp, telnet, tftp, www. Each of these keywords translates into its equivalent port number.
– Match to Port—Enter the IANA port number to match to the destination port identified in the datagram header. The port range is from 0 to 65535 and includes three different types of ports:
1024 to 49151-Registered Ports
49152 to 65535-Dynamic and/or Private Ports
– Mask—Enter the port mask. The mask determines which bits are used and which bits are ignored. Only the hexadecimal digit (0 - 0xFFFF) is allowed. 0 means the bit matters and 1 means that we should ignore this bit.
• Service Type—Matches the packets based on specific service type.
– IP DSCP Select From List—Matches the packets based on their DSCP Assured Forwarding (AS), Class of Service (CS), or Expedited Forwarding (EF) values.
– IP DSCP Match to Value—Matches the packets based on a custom DSCP value. If selected, enter an value from 0 to 63 in this field.
– IP Precedence—Matches the packets based on their IP precedence value. If selected, enter an IP Precedence value from 0 to 7.
– IP ToS Bits—Specifies a value to use the packet's ToS bits in the IP header as match criteria.
The IP ToS field in a packet is defined as all eight bits of the Service Type octet in the IP header. The IP ToS Bits value is a two-digit hexadecimal number from 00 to ff. The high-order three bits represent the IP precedence value. The high-order six bits represent the IP Differentiated Services Code Point (DSCP) value.
– IP ToS Mask—Enter an IP ToS Mask value to identify the bit positions in the IP ToS Bits value that are used for comparison against the IP ToS field in a packet.
The IP ToS Mask value is a two-digit hexadecimal number from 00 to FF, representing an inverted (that is, wildcard) mask. The zero-valued bits in the IP ToS Mask denote the bit positions in the IP ToS Bits value that are used for comparison against the IP ToS field of a packet. For example, to check for an IP ToS value having bits 7 and 5 set and bit 1 clear, where bit 7 is most significant, use an IP ToS Bits value of 0 and an IP ToS Mask of 00.
6. Click Save. The changes are saved to the Startup Configuration.
Note To delete an ACL, ensure that it is selected in the ACL Name-ACL Type list, select Delete ACL, and click Save.
2. In the ACL Name field, enter the name to identify the ACL.
3. Choose IPv6 as the type of ACL from the ACL Type list. IPv6 ACLs control access to network resources based on Layer 3 and Layer 4 criteria.
5. In the ACL Rule Configuration area, configure these ACL rule parameters:
• ACL Name-ACL Type—Choose the ACL to configure with the new rule.
• Rule—Choose New Rule to configure a new rule for the selected ACL. When an ACL has multiple rules, the rules are applied to the packet or frame in the order in which you add them to the ACL. There is an implicit deny all rule as the final rule.
• Action—Choose whether the ACL rule permits or denies an action.
• When you choose Permit, the rule allows all traffic that meets the rule criteria to enter the WAP device. Traffic that does not meet the criteria is dropped.
• When you choose Deny, the rule blocks all traffic that meets the rule criteria from entering the WAP device. Traffic that does not meet the criteria is forwarded unless this rule is the final rule. Because there is an implicit deny all rule at the end of every ACL, traffic that is not explicitly permitted is dropped.
• Match Every Packet—If enabled, the rule, which either has a permit or deny action, matches the frame or packet regardless of its contents. If you enable this feature, you cannot configure any additional match criteria. This option is selected by default for a new rule. You must disable the option to configure other match fields.
• Protocol—Choose the protocol to match by keyword or protocol ID.
• Source IPv6—Requires a packet's source IPv6 address to match the IPv6 address defined in the appropriate fields.
– Source IPv6 Address—Enter the IPv6 address to apply this criteria.
– Source IPv6 Prefix Length—Enter the prefix length of the source IPv6 address.
• Source Port—Includes a source port in the match condition for the rule. The source port is identified in the datagram header.
– Select From List—If selected, choose the port name from the list.
– Match to Port—Enter the IANA port number to match to the source port identified in the datagram header. The port range is 0 to 65535 and includes three different types of ports:
1024 to 49151-Registered Ports
49152 to 65535-Dynamic and/or Private Ports
– Mask—Enter the port mask. The mask determines which bits are used and which bits are ignored. Only the hexadecimal digit (0 - 0xFFFF) is allowed. 0 means the bit matters and 1 means that we should ignore this bit.
• Destination IPv6—Requires a packet's destination IPv6 address to match the IPv6 address defined in the appropriate fields.
– Destination IPv6 Address—Enter an IPv6 address to apply this criteria.
– Destination IPv6 Prefix Length—Enter the prefix length of the destination IPv6 address.
• Destination Port—Includes a destination port in the match condition for the rule. The destination port is identified in the datagram header.
– Select From List—If selected, choose the port name from the list.
– Match to Port—Enter the IANA port number to match to the source port identified in the datagram header. The port range is 0 to 65535 and includes three different types of ports:
1024 to 49151-Registered Ports
49152 to 65535-Dynamic and/or Private Ports
– Mask—Enter the port mask. The mask determines which bits are used and which bits are ignored. Only the hexadecimal digit (0 - 0xFFFF) is allowed. 0 means the bit matters and 1 means that we should ignore this bit.
• IPv6 Flow Label—Specifies a 20-bit number that is unique to an IPv6 packet. It is used by end stations to signify QoS handling in routers (range 0 to 1048575).
• IPv6 DSCP—Matches the packets based on their IP DSCP value. If selected, choose one of these options as the match criteria:
– Select From List—Choose one of these values: DSCP Assured Forwarding (AS), Class of Service (CS), or Expedited Forwarding (EF).
– Match to Value—Enter a custom DSCP value, from 0 to 63.
6. Click Save. The changes are saved to the Startup Configuration.
Note To delete an ACL, ensure that it is selected in the ACL Name-ACL Type list, check Delete ACL, and click Save.
2. In the ACL Name field, enter the name to identify the ACL.
3. Choose MAC as the type of ACL from the ACL Type list. MAC ACLs control access based on Layer 2 criteria.
5. In the ACL Rule Configuration area, configure these ACL rule parameters:
• ACL Name-ACL Type—Choose the ACL to configure with the new rule.
• Rule—Choose New Rule to configure a new rule for the selected ACL. When an ACL has multiple rules, the rules are applied to the packet or frame in the order in which you add them to the ACL. There is an implicit deny all rule as the final rule.
• Action—Choose whether the ACL rule permits or denies an action.
• When you choose Permit, the rule allows all traffic that meets the rule criteria to enter the WAP device. Traffic that does not meet the criteria is dropped.
• When you choose Deny, the rule blocks all traffic that meets the rule criteria from entering the WAP device. Traffic that does not meet the criteria is forwarded unless this rule is the final rule. Because there is an implicit deny all rule at the end of every ACL, traffic that is not explicitly permitted is dropped.
• Match Every Packet—If enabled, the rule, which either has a permit or deny action, matches the frame or packet regardless of its contents. If you enable this feature, you cannot configure any additional match criteria. This option is selected by default for a new rule. You must disable the option to configure other match fields.
• EtherType—Choose to compare the match criteria against the value in the header of an Ethernet frame. You can select an EtherType keyword or enter an EtherType value to specify the match criteria.
– Select from List—Choose one of these protocol types: appletalk, arp, ipv4, ipv6, ipx, netbios, pppoe.
– Match to Value—Enter a custom protocol identifier to which packets are matched. The value is a four-digit hexadecimal number in the range of 0600 to FFFF.
• Class of Service—Enter an 802.1p user priority to compare against an Ethernet frame. The valid range is from 0 to 7. This field is located in the first/only 802.1Q VLAN tag.
• Source MAC—Requires the packet's source MAC address to match the address defined in the appropriate fields.
– Source MAC Address—Enter the source MAC address to compare against an Ethernet frame.
– Source MAC Mask—Enter the source MAC address mask specifying which bits in the source MAC to compare against an Ethernet frame.
For each bit position in the MAC mask, a 0 indicates that the corresponding address bit is significant and a 1 indicates that the address bit is ignored. For example, to check only the first four octets of a MAC address, a MAC mask of 00:00:00:00:ff:ff is used. A MAC mask of 00:00:00:00:00:00 checks all address bits and is used to match a single MAC address.
• Destination MAC—Requires the packet's destination MAC address to match the address defined in the appropriate fields.
– Destination MAC Address—Enter the destination MAC address to compare against an Ethernet frame.
– Destination MAC Mask—Enter the destination MAC address mask to specify which bits in the destination MAC to compare against an Ethernet frame.
• VLAN ID—Enter the specific VLAN ID to compare against an Ethernet frame.
This field is located in the first/only 802.1Q VLAN tag.
6. Click Save. The changes are saved to the Startup Configuration.
Note To delete an ACL, ensure that it is selected in the ACL Name-ACL Type list, check Delete ACL, and click Save.