Skip to main content

Configure access control lists (ACLs)

  • An Access Control List (ACL) is a set of rules applied to a VLAN to control incoming and outgoing traffic. It is used to permit or deny packets based on criteria such as IP addresses, port numbers, and protocols, helping to enhance network security.
  • Traffic flowing in or out of a VLAN that has an ACL traffic filter profile applied will be allowed or denied based on the configured ruleset.
  • ACL rules can be configured for IPv4 and IPv6 traffic.

Each packet is checked against the ACL list from top to bottom:

  • Rule Evaluation: Starting with the first rule, the packet's attributes are compared to the match criterias.
  • Allow or Deny: If the packet matches a rule, the specified action (allow or deny) is applied, and the process stops.
  • Proceed to Next Rule: If the packet doesn't match, it moves to the next rule in the list.
  • Default rule: If no rules match, the packet is implicitly denied access by default.

Configuration

Create ACL traffic filter profile

  1. Under Settings, click ACL traffic filter profile and then click (+)
  2. Under Label enter a name for the profile
  3. The rules now specify the IP packets that are to be controlled
  4. If necessary, click on the default rule and change the default action (default is deny)
  5. Add a new rule by clicking + Rule, then enter the description and action of the rule.
  6. Select the IP Version (IPv4 or IPv6).
  7. Add a new match criteria with the following attributes:
    • Source prefix: Enter an IPv4 or IPv6 address and prefix. Leave empty for Any.
    • Destination prefix: Enter an IPv4 or IPv6 address and prefix. Leave empty for Any.
    • Protocol: Choose protocol. For TCP and UDP, source and destination port numbers can be specified.
    • DSCP: Enter the DSCP value as a decimal number. Leave empty for Any.
    • Source Port: Enter the source port value. Leave empty for Any.
    • Destination Port: Enter the destination port value. Leave empty for Any.
    • TCP Established: Allows TCP traffic only if it is part of an already established connection (ACK or RST flag set).
  8. If required, click + Match Criteria and add more match criterias.
  9. If required, click + Rule and add more rules. Please note the order of the rules. The first rule that matches is applied.
  10. Save entries
note

ACLs are stateless and evaluate each packet separately, based only on IP addresses and ports. For TCP traffic, ACLs must also explicitly allow the return path.

IPv6 ACL rules are only effective if IPv6 is enabled on the corresponding VLAN and Access VPN.
For more information, see:

  • /docs/Dashboard_configuration/VLANs/VLANs_LAN-IP_addressing_routing_protocols/#configure-ipv6-on-a-vlan
  • /docs/Dashboard_configuration/VPNs/Configuring_Access_VPNs_VPN_settings/#configure-ipv6-on-an-access-vpn

Apply ACL traffic filter profile

  1. Under Location > VLANs, open the VLAN where the ACL should be applied.
  2. Enable IPv4 ACL, IPv6 ACL, or both depending on the required traffic filtering.
  3. In the dropdown for ingoing traffic, choose the ACL traffic filter profile for ingress direction.
  4. In the dropdown for outgoing traffic, choose the ACL traffic filter profile for egress direction.
  5. Submit configuration order
note

When configuring ACLs on a VLAN, it is important to view the directionality from the perspective of the CPE network interface. Here’s how to interpret the traffic directions:

  • Ingress Direction: This refers to traffic entering the CPE from the VLAN. Essentially, it represents the data traveling from a LAN client towards the CPE.
  • Egress Direction: This refers to traffic leaving the CPE and heading toward the VLAN. It involves data moving away from the CPE interface to the VLAN.
danger

Modifying an ACL traffic filter profile bound to a VLAN will temporarily deactivate the ACL, causing traffic forwarding to be interrupted during the order processing. This may significantly impact network operations at the location.