Skip to main content

Configure access control lists (ACLs)

  • An Access Control List (ACL) is a set of rules applied to a VLAN to control incoming and outgoing traffic. It is used to permit or deny packets based on criteria such as IP addresses, port numbers, and protocols, helping to enhance network security.
  • Traffic flowing in or out of a VLAN that has an ACL traffic filter profile applied will be allowed or denied based on the configured ruleset.

Each packet is checked against the ACL list from top to bottom:

  • Rule Evaluation: Starting with the first rule, the packet's attributes are compared to the match criterias.
  • Allow or Deny: If the packet matches a rule, the specified action (allow or deny) is applied, and the process stops.
  • Proceed to Next Rule: If the packet doesn't match, it moves to the next rule in the list.
  • Default rule: If no rules match, the packet is implicitly denied access by default.

Configuration

Create ACL traffic filter profile

  1. Under Settings, click ACL traffic filter profile and then click (+)
  2. Under Label enter a name for the profile
  3. The rules now specify the IP packets that are to be controlled
  4. If necessary, click on the default rule and change the default action (default is deny)
  5. Add a new rule by clicking + Rule, then enter the description and action of the rule.
  6. Add a new match criteria with the following attributes:
    • Source prefix: Enter an IP address and prefix size. Leave empty for Any.
    • Destination prefix: Enter an IP address and prefix size. Leave empty for Any.
    • Protocol: Choose Protocol. For TCP and UDP, source and destination port numbers can be specified.
    • DSCP: Enter the DSCP value as a decimal number. Leave empty for Any.
    • Source Port: Enter the source port value as a decimal number. Leave empty for Any.
    • Destination Port: Enter the source port value as a decimal number. Leave empty for Any.
    • TCP Established: The "established" option allows TCP traffic to pass only if the packet is a reply to an outbound initiated session. When processing the ACL, the router examines the TCP header and acts upon the packet if the packet is related to a already established connection, indicated by the ACK or RST flags being present (represented by a "1" in the flags).
  7. If required, click + Match Criteria and add more match criterias.
  8. If required, click + Rule and add more rules. Please note the order of the rules. The first rule that matches is applied.
  9. Save entries

Apply ACL traffic filter profile

  1. Under Location > VLANs, open the VLAN where the ACL should be applied and enable IPv4 ACL
  2. In the dropdown for ingoing traffic, choose the ACL traffic filter profile that should apply for the ingress direction.
  3. In the dropdown for outgoing traffic, choose the ACL traffic filter profile that should apply for the egress direction.
  4. Submit configuration order
warning

ACLs are stateless and evaluate each packet separately, based only on IP addresses and ports. For TCP traffic, ACLs must also explicitly allow the return path.