4.10.2.3.3 Network-Access Control List (ACL)-Configuration

Configure an Access Control Entry (ACE) on the Access Control List Configuration page. An ACE consists of several parameters. These parameters vary according to the frame type that you select. First, select the ingress port for the ACE, and then select the frame type. Different parameter options are displayed depending on the frame type selected. A frame that hits this ACE matches the configuration that is defined here. The following figure shows the global parameters of the ACE configuration.

Figure 4-48. ACE Configuration—Global Parameters

The Access Control List Configuration page has the following parameters:

Global Configuration

  • Second Lookup: Specify the second lookup operation of ACE
  • Ingress Port: Select the ingress port for which this ACE applies
    • All: ACE applies to all ports
    • Port n: ACE applies to this port number, where n is the number of the switch port
  • Policy Filter: Specify the policy number filter for this ACE
    • Any: No policy filter is specified (policy filter status is don't-care)
    • Specific: If you want to filter a specific policy with this ACE, then choose this value. Two fields for entering the policy value and the bitmask appear.
      • Policy Value: When Specific is selected for the policy filter, then you can enter a specific policy value. The allowed range is 0 to 255.
      • Policy Bitmask: When Specific is selected for the policy filter, then you can enter a specific policy bitmask. The allowed range is 0x0 to 0xff. While using bitmask, if the binary bit value is 0, then it means this bit is don't-care. The real matched pattern is [policy_value and policy_bitmask]. For example, if the policy value is 3 and the policy bitmask is 0x10 (bit 0 is don't-care bit), then policies 2 and 3 are applied to this rule.
  • Frame Type: Select the frame type for this ACE. These frame types are mutually exclusive.
    • Any: Any frame can match this ACE
    • Ethernet Type: Only Ethernet Type frames can match this ACE. The IEEE 802.3 standard describes the value of Length/Type Field specifications to be greater than or equal to 1536 decimal (equal to 0600 hexadecimal) and the value must not be equal to 0x800 (IPv4), 0x806 (ARP), or 0x86DD (IPv6).
    • ARP: Only ARP frames can match this ACE
      Note: The ARP frames do not match the ACE with Ethernet type.
    • IPv4: Only IPv4 frames can match this ACE
      Note: The IPv4 frames do not match the ACE with Ethernet type.
    • IPv6: Only IPv6 frames can match this ACE
      Note: The IPv6 frames do not match ACE with Ethernet type.
  • Action: Specify the action to take with a frame that hits this ACE
    • Permit: The frame that hits this ACE is granted permission for the ACE operation
    • Deny: The frame that hits this ACE is dropped
    • Filter: Frames matching ACE are filtered
  • Rate Limiter: Specify the rate limiter in number of base units. The allowed range is 1–16. Disabled indicates that the rate limiter operation is disabled.
    • Port Redirect: Frames that hit the ACE are redirected to the port number specified here. The rate limiter affects these ports. The allowed range is the same as the switch port number range. Disabled indicates that the port redirect operation is disabled, and the specific port number of Port Redirect cannot be set when action is permitted.
  • Mirror: Specify the mirror operation of this port. Frames matching the ACE are mirrored to the destination mirror port. The rate limiter does not affect frames on the mirror port. The allowed values are:
    • Enabled: Frames received on the port are mirrored
    • Disabled: Frames received on the port are not mirrored The default value is Disabled.
  • Logging: Specify the logging operation of ACE
    Note: The logging message does not include the 4 bytes CRC information.
    The allowed values are:
    • Enabled: Frames matching ACE are stored in the System Log
    • Disabled: Frames matching ACE are not logged
    Note: The logging feature only works when the packet length is less than 1518 (without VLAN
    tags) and the System Log memory size and logging rate is limited.
  • Shutdown: Specify the port shut down operation of ACE. The allowed values are:
    • Enabled: If a frame matches ACE, the ingress port is disabled
    • Disabled: Port shutdown is disabled for ACE
    Note: The shutdown feature only works when the packet length is less than 1518 (without VLAN tags).
  • Counter: The counter indicates the number of times ACE was hit by a frame.

VLAN Parameters

  • 802.1Q Tagged: Specify whether frames can hit the action according to the 802.1Q tagged.

    The allowed values are:

    • Any: Any value is allowed (don't-care)
    • Enabled: Tagged frame only
    • Disabled: Untagged frame only
    The default value is Any.
  • VLAN ID Filter: Specify the VLAN ID filter for this ACE.
    • Any: No VLAN ID filter is specified (VLAN ID filter status is don't-care)
    • Specific: If you want to filter a specific VLAN ID with this ACE, then choose this value. A field for entering a VLAN ID number appears.
      • VLAN ID: When Specific is selected for the VLAN ID filter, you can enter a specific VLAN ID number. The allowed range is 1 to 4095. A frame that hits this ACE matches this VLAN ID value.
  • Tag Priority: Specify the tag priority for this ACE. A frame that hits this ACE matches this tag priority. The allowed number range is 0 to 7 or range 0–1, 2–3, 4–5, 6–7, 0–3, and 4–7. The value Any means that no tag priority is specified (tag priority is don't-care).