An Access Control List (ACL) allows you to define classification rules or establish criteria to provide security to your network by blocking unauthorized users and allowing authorized users to access specific areas or resources. More specifically, the ACL of your Linksys Managed Switch for Business features the following:
- ACLs provide basic security for access to the network by controlling whether packets are forwarded or blocked at the switch ports.
- ACLs are filters that allow you to classify data packets according to a particular content in the packet header, such as the source address, destination address, source port number, destination port number, and more. Packet classifiers identify flows for more efficient processing. Each filter defines the conditions that must match for inclusion in the filter.
- ACLs provide packet filtering for IP frames (based on the protocol, TCP/UDP port number or frame type) or layer 2 frames (based on any destination MAC address for unicast, broadcast, or multicast, or based on VLAN ID or VLAN tag priority).
- ACLs can be used to improve performance by blocking unnecessary network traffic or to implement security controls by restricting access to specific network resources or protocols. Policies can be used to differentiate service for client ports, server ports, network ports, or guest ports. They can also be used to strictly control network traffic by only allowing incoming frames that match the source MAC and source IP address on a specific port.
- ACLs are composed of Access Control Entries (ACEs), which are rules that determine traffic classifications. Each ACE is considered as a single rule, and up to 256 rules may be defined on each ACL with up to 3,000 rules globally.
- ACLs are used to provide traffic flow control, restrict contents of routing updates, and determine which types of traffic are forwarded or blocked. This criterion can be specified on a basis of the MAC address or IP address.
To configure the Access Control settings of the Linksys Managed Switch for Business, follow the steps below:
2. Click on the menu icon located at the upper-left corner of the web interface.
3. Click on Configure.
4. Select Access Control.
MAC ACL
MAC ACE
IPv4 ACL
IPv4 ACE
IPv6 ACL
IPv6 ACE
Port Binding
MAC ACL
This page displays the currently defined MAC-based ACL profiles.
- Index: This is the profile identifier.
- Name: Enter the MAC-based ACL name. You can use up to 32 alphanumeric characters.
To add a new ACL, click Add and enter the name of the new ACL. Click Apply to accept the changes or Cancel to abort the process.
MAC ACE
Use this page to view and add rules to MAC-based ACEs.
- ACL Name: Select the ACL from the list.
- Sequence: Enter the sequence number which signifies the order of the specified ACL relative to other ACLs assigned to the selected interface. The valid range is from 1 to 2147483647 (1 will be processed first).
- Action: Select the action if a packet matches the criteria.
- Permit - forwards packets that meet the ACL criteria
- Deny - drops packets that do not meet the ACL criteria
- Destination MAC: Enter the destination MAC address.
- Destination MAC Mask: Enter the destination MAC mask.
- Source MAC: Enter the source MAC address.
- Source MAC Mask: Enter the source MAC mask.
- VLAN ID: Enter the VLAN ID to which the MAC address is attached in MAC ACE. The range is from 1 to 4094.
- 802.1p Value: Enter the 802.1p value. The range is from 0 to 7.
- Ethertype Value (Hex): Selecting this option instructs the switch to examine the ethernet type value in each frame's header. This option can only be used to filter ethernet II-formatted packets. A detailed listing of ethernet protocol types can be found in RFC 1060. A few of the more common types include 0800 (IP), 0806 (ARP), and 8137 (IPX).
IPv4 ACL
This page displays the currently defined IPv4-based ACL profiles.
- Index: Displays the current number of ACLs.
- Name: Enter the IP-based ACL name. You can use up to 32 alphanumeric characters.
To add a new ACL, click Add and enter the name of the new ACL. Click Apply to accept the changes or Cancel to abort the process.
IPv4 ACE
Use this page to view and add rules to IPv4-based ACEs.
- ACL Name: Select the ACL from the list for which a rule is being created.
- Sequence: Enter the sequence number which signifies the order of the specified ACL relative to other ACLs assigned to the selected interface. The valid range is from 1 to 2147483647 (1 will be processed first).
- Action: Select what action to take if a packet matches the criteria.
- Permit - forwards packets that meet the ACL criteria
- Deny - drops packets that meet the ACL criteria
- Protocol: Select Any, Protocol ID, or Select from a List in the drop-down menu.
- Destination IP: Enter the destination IP address or select Any.
- Destination IP Mask: Enter the destination IP mask.
- Destination Port Range: Enter the destination port range.
- Source IP: Enter the source IP address or select Any.
- Source IP Mask: Enter the source IP mask.
- Source Port Range: Enter the source port range.
- Flag Set: Select a TCP Flag.
- URG (Urgent), ACK (Acknowledgment), PS (Push), RST (Reset), SYN (Synchronize), or FIN (Fin)
- Don't Care - The ACE does not treat the TCP control flag.
- Set - The packet with the TCP control flag being set matches the criteria.
- Unset - The packet with the TCP control flag being unset matches the criteria.
- Actions: Select to Deny or Permit.
IPv6 ACL
This page displays the currently defined IPv6-based ACL profiles.
- Index: Displays the current number of ACLs.
- Name: Enter the IPv6-based ACL name. You can use up to 32 alphanumeric characters.
To add a new ACL, click Add and enter the name of the new ACL. Click Apply to accept the changes or Cancel to abort the process.
IPv6 ACE
Allows IPv6-based Access Control Entry (ACE) to be defined within a configured ACL.
- ACL Name: Select the ACL from the list.
- Sequence: Enter the sequence number which signifies the order of the specified ACL relative to other ACLs assigned to the selected interface. The valid range is from 1 to 2147483647 (1 will be processed first).
- Action: Select what action to take if a packet matches the criteria.
- Permit - forwards packets that meet the ACL criteria
- Deny - drops packets that meet the ACL criteria
- Protocol: Select Any, Protocol ID, or Select from List from drop-down menu.
- Destination IP: Enter the destination IP address.
- Destination IP Prefix Length: Enter the destination IP prefix length.
- Destination Port Range: Enter the destination port range.
- Source IP: Enter the source IP address.
- Source IP Prefix Length: Enter the source IP prefix length.
- Source Port Range: Enter the source port range.
- Flag Set: Select a TCP Flag.
- URG (Urgent), ACK (Acknowledgment), PS (Push), RST (Reset), SYN (Synchronize), or FIN (Fin)
- Don't Care - The ACE does not treat the TCP control flag.
- Set - The packet with the TCP control flag being set matches the criteria.
- Unset - The packet with the TCP control flag being unset matches the criteria.
- DSCP
- ICMP: Select the ICMP type from the list.
- ICMP Code: Enter 0-255.
- Actions: Select to Deny or Permit.
Port Binding
When an ACL is bound to an interface, all the rules that have been defined for the ACL are applied to that interface. Whenever an ACL is assigned on a port or LAG, flows from that ingress or egress interface that do not match the ACL are matched to the default rule of dropping unmatched packets.
- Port: Select the port for which the ACLs are bound to.
- MAC ACL: Select the MAC ACL rule to apply to the port.
- IPv4 ACL: Select the IPv4 ACL rule to apply to the port.
- IPv6 ACL: Select the IPv6 ACL rule to apply to the port.
To bind an ACL to an interface, simply select an interface and select the ACL/s you wish to bind on the top row and click Apply at the bottom to save your settings.