An Access Control List (ACL) allows you to define classification rules or establish criteria to provide security to your network by blocking unauthorized users and allowing authorized users to access specific areas or resources. More specifically, the ACL of your Linksys Managed Gigabit Switch features the following:
- ACLs provide basic security for access to the network by controlling whether packets are forwarded or blocked at the switch ports.
- ACLs are filters that allow you to classify data packets according to a particular content in the packet header, such as the source address, destination address, source port number, destination port number, and more. Packet classifiers identify flows for more efficient processing. Each filter defines the conditions that must match for inclusion in the filter.
- ACLs provide packet filtering for IP frames (based on the protocol, TCP/UDP port number, or frame type) or layer 2 frames (based on any destination MAC address for unicast, broadcast, or multicast, or based on VLAN ID or VLAN tag priority).
- ACLs can be used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols. Policies can be used to differentiate service for client ports, server ports, network ports, or guest ports. They can also be used to strictly control network traffic by only allowing incoming frames that match the source MAC and source IP address on a specific port.
- ACLs are composed of Access Control Entries (ACEs), which are rules that determine traffic classifications. Each ACE is considered as a single rule, and up to 256 rules may be defined on each ACL with up to 3,000 rules globally.
- ACLs are used to provide traffic flow control, restrict contents of routing updates, and determine which types of traffic are forwarded or blocked. This criterion can be specified on a basis of the MAC address or IP address.
Note that if the images you see or the steps you follow look different from the actual page, here are alternative instructions/information.
To configure the ACL settings of the Linksys Managed Gigabit Switch, follow the steps below:
2. Click on ACL.
The following settings can be configured under ACL:
MAC ACL
MAC ACE
IPv4 ACL
IPv4 ACE
IPv6 ACL
IPv6 ACE
ACL Binding
MAC ACL
This page displays the currently defined MAC-based ACL profiles. To add a new ACL, click +Add and enter the name of the new ACL.
- Index: This is the profile identifier.
- Name: Enter the MAC-based ACL name. You can use up to 32 alphanumeric characters.
Click Apply to accept the changes or Cancel to discard them.
MAC ACE
Use this page to view and add rules to MAC-based ACEs.
- ACL Name: Select the ACL from the list.
- Sequence: Enter the sequence number which signifies the order of the specified ACL relative to other ACLs assigned to the selected interface. The valid range is from 1 to 2147483647 (1 will be processed first).
- Action: Select the action if a packet matches the criteria.
- Permit - forwards packets that meet the ACL criteria
- Deny - drops packets that do not meet the ACL criteria
- Destination MAC Address: Enter the destination MAC address.
- Source MAC Address: Enter the source MAC address.
- VLAN ID: Enter the VLAN ID to which the MAC address is attached in MAC ACE. The range is from 1 to 4094.
- 802.1p Value: Enter the 802.1p value. The range is from 0 to 7.
- Ethertype Value (Hex): Selecting this option instructs the switch to examine the ethernet type value in each frame's header. This option can only be used to filter ethernet II-formatted packets. A detailed listing of ethernet protocol types can be found in RFC 1060. A few of the more common types include 0800 (IP), 0806 (ARP), and 8137 (IPX).
IPv4 ACL
This page displays the currently defined IPv4-based ACL profiles. To add a new ACL, click Add and enter the name of the new ACL.
- Index: Displays the current number of ACLs.
- Name: Enter the IP-based ACL name. You can use up to 32 alphanumeric characters.
Click Apply to accept the changes or Cancel to discard them.
IPv4 ACE
Use this page to view and add rules to IPv4-based ACEs.
- ACL Name: Select the ACL from the list for which a rule is being created.
- Sequence: Enter the sequence number which signifies the order of the specified ACL relative to other ACLs assigned to the selected interface. The valid range is from 1 to 2147483647 (1 will be processed first).
- Action: Select what action to take if a packet matches the criteria.
- Permit - forwards packets that meet the ACL criteria
- Deny - drops packets that meet the ACL criteria
- Protocol: Select Any, Protocol ID, or Select from a List in the drop-down menu.
- Source IP Address: Enter the source IP address or select Any.
- Destination IP Address: Enter the destination IP address or select Any.
- Type of Service: Select Any or DSCP to match from the drop-down list. When DSCP to match is selected, enter the DSCP. The range is from 0 to 63.
- ICMP Type: Select Any, Protocol ID, or Select from List from the drop-down menu.
- ICMP Code: Select Any or User Defined from the drop-down menu. When User Defined is selected, enter the ICMP code value. The range is from 0 to 255.
Click the Apply button to update the system settings.
IPv6 ACL
This page displays the currently defined IPv6-based ACL profiles. To add a new ACL, click Add and enter the name of the new ACL.
- Index: Displays the current number of ACLs.
- Name: Enter the IPv6-based ACL name. You can use up to 32 alphanumeric characters.
Click Apply to accept the changes or Cancel to discard them.
IPv6 ACE
Allows IPv6-based Access Control Entry (ACE) to be defined within a configured ACL.
- ACL Name: Select the ACL from the list.
- Sequence: Enter the sequence number which signifies the order of the specified ACL relative to other ACLs assigned to the selected interface. The valid range is from 1 to 2147483647 (1 will be processed first).
- Action: Select what action to take if a packet matches the criteria.
- Permit - forwards packets that meet the ACL criteria
- Deny - drops packets that meet the ACL criteria
- Protocol: Select Any, Protocol ID, or Select from List from the drop-down menu.
- Source IP Address: Enter the source IP address.
- Destination IP Address: Enter the destination IP address.
- Type of Service: Select Any or DSCP to match from the drop-down list. When DSCP to match is selected, enter the DSCP. The range is from 0 to 63.
Click the Apply button to update the system settings.
ACL Binding
When an ACL is bound to an interface, all the rules that have been defined for the ACL are applied to that interface. Whenever an ACL is assigned on a port or LAG, flows from that ingress or egress interface that do not match the ACL are matched to the default rule of dropping unmatched packets. To bind an ACL to an interface, simply select an interface, and select the ACL/s you wish to bind on the top row and click Apply at the bottom to save your settings.
- Port: Select the port for which the ACLs are bound to.
- MAC ACL: Select the MAC ACL rule to apply to the port.
- IPv4 ACL: Select the IPv4 ACL rule to apply to the port.
- IPv6 ACL: Select the IPv6 ACL rule to apply to the port.