This chapter describes how to configure the Access Control Lists (ACLs). Show
This chapter contains the following topics:
Understanding Access Control ListsAccess Control Lists (ACLs) are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources. ACLs can also provide traffic flow control, restrict contents of routing updates, and decide which types of traffic are forwarded or blocked. Normally ACLs reside in a firewall router or in a router connecting two internal networks. You can set up ACLs to control traffic at Layer 2, Layer 3, or Layer 4. MAC ACLs operate on Layer 2. IP ACLs operate on Layers 3 and 4. FeaturesACL support features include Flow-based Mirroring and ACL Logging.
Using ACLs to mirror traffic is called flow-based mirroring because the traffic flow is defined by the ACL classification rules. This is in contrast to port mirroring, where all traffic encountered on a specific interface is replicated on another interface. LimitationsThe following limitations apply to ACLs. These limitations are platform dependent.
MAC ACLsMAC ACLs are Layer 2 ACLs. You can configure the rules to inspect the following fields of a packet (limited by platform):
L2 ACLs can apply to one or more interfaces. Multiple access lists can be applied to a single interface - sequence number determines the order of execution. You can assign packets to queues using the assign queue option. IP ACLsIP ACLs classify for Layers 3 and 4. Each ACL is a set of up to ten rules applied to inbound traffic. Each rule specifies whether the contents of a given field should be used to permit or deny access to the network, and may apply to one or more of the following fields within a packet:
Configuring Access Control Lists
1. Create a MAC ACL by specifying a name. 2. Create an IP ACL by specifying a number. 3. Add new rules to the ACL. 4. Configure the match criteria for the rules. 5. Apply the ACL to one or more interfaces. Setting Up an IP ACL via CLIThe script in this section shows you how to set up an IP ACL with two rules, one applicable to TCP traffic and one to UDP traffic. The content of the two rules is the same. TCP and UDP packets will only be accepted by the Sun Netra CP3240 switch if the source and destination stations have IP addresses that fall within the defined sets. FIGURE 22-1 IP ACL Example Network Diagram Example 1: Create ACL 179 and Define an ACL RuleAfter the mask has been applied, it permits packets carrying TCP traffic that matches the specified Source IP address, and sends these packets to the specified Destination IP address. config access-list 179 permit tcp 192.168.77.0 0.0.0.255 192.168.77.3 0.0.0.0 Example 2: Define the Second Rule for ACL 179Define the rule to set similar conditions for UDP traffic as for TCP traffic. access-list 179 permit udp 192.168.77.0 0.0.0.255 192.168.77.3 0.0.0.255 exit Example 3: Apply the rule to Inbound Traffic on Port 1/0/2Only traffic matching the criteria will be accepted. interface 0/2 ip access-group 179 in exit Setting Up a MAC ACL via CLIThe following are examples of the commands used for the MAC ACLs feature. Example 1: Set up a MAC Access List
Example 2: Specify MAC ACL Attributes
Example 3: Configure MAC Access Group
Example 4: Set up an ACL with Permit Action
Example 5: Show MAC Access Lists
Setting Up ACLs via Web InterfaceThe following web pages are used in the ACL feature. FIGURE 22-2 MAC ACL Configuration Page - Create New MAC ACL FIGURE 22-3 MAC ACL Configuration Page FIGURE 22-4 MAC ACL Summary FIGURE 22-5 MAC ACL Rule Configuration - Create New Rule FIGURE 22-6 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask FIGURE 22-7 MAC ACL Rule Configuration Page - View the Current Settings FIGURE 22-8 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask FIGURE 22-9 MAC ACL Rule Configuration Page - Add Destination MAC and MAC Mask FIGURE 22-10 ACL Interface Configuration FIGURE 22-11 IP ACL Configuration Page - Create a New IP ACL FIGURE 22-12 IP ACL Configuration Page - Create a Rule and Assign an ID FIGURE 22-13 IP ACL Configure IP ACL Rule Properties FIGURE 22-14 IP ACL Rule Configuration Page - Rule with Protocol and Source IP Configuration FIGURE 22-15 Attach IP ACL to an Interface FIGURE 22-16 IP ACL Summary © 2007 Diversified Technology, Inc. All Rights Reserved. © 2009 Sun Microsystems, Inc. All rights reserved. What do you mean by access control list?An access control list (ACL) contains rules that grant or deny access to certain digital environments. There are two types of ACLs: Filesystem ACLs━filter access to files and/or directories. Filesystem ACLs tell operating systems which users can access the system, and what privileges the users are allowed.
What is access control in security?Access control is a fundamental component of data security that dictates who's allowed to access and use company information and resources. Through authentication and authorization, access control policies make sure users are who they say they are and that they have appropriate access to company data.
What are ACL rules?ACLs are a collection of permit and deny conditions, called rules, that provide security by blocking unauthorized users and allowing authorized users to access specific resources. ACLs can block any unwarranted attempts to reach network resources. The WAP device supports up to 50 IPv4, IPv6, and MAC ACL rules.
What does ACL stand for and how is it used?The anterior cruciate ligament (ACL) is one of the key ligaments that help stabilize the knee joint. The ACL connects the thighbone (femur) to the shinbone (tibia). It's most commonly torn during sports that involve sudden stops and changes in direction — such as basketball, soccer, tennis and volleyball.
|