ACL

ACL

1. Function Overview

The access list (ACL) is a conditional statement that determines whether to permit or to deny the frame.
If the access list is applied to the interface, the permitted frames and frames not matching the conditions will be transferred, and the denied frames will be discarded.
As this allows for only specified frames to be selected for transfer, this feature is primarily used for security purposes.
This product supports three access list types, as shown in the table below.

  • Access list type

    Access list type Deciding criteria Access list ID Purpose of use

    IPv4 access list

    Source IPv4 address

    1–2000

    Filters access from specific hosts and networks.

    IPv6 access list

    Source IPv6 address

    3001–4000

    Filters access from specific hosts and networks.

    MAC access list

    Source MAC address

    2001–3000

    Filters access from specific devices.

2. Definition of Terms Used

ACL

Abbreviation of “Access Control List”.

Wildcard mask

Information that specifies which portion of the specified IPv4 address or MAC address is read. This is used when specifying a range of IPv4 addresses or MAC addresses as ACL conditions.

  • When the wildcard mask bit is “0”: check the corresponding bit

  • When the wildcard mask bit is “1”: do not check the corresponding bit

Examples of settings using wildcard masks are shown below. (The underlined portion is the wildcard mask.)

  • To specify conditions for subnet 192.168.1.0/24: 192.168.1.0 0.0.0.255 (specified in decimal)

  • To specify conditions for vendor code 00-A0-DE---*: 00A0.DE00.0000 0000.00FF.FFFF (specified in hexadecimal)

3. Function Details

3.1. Generate access list

A maximum of 28 access lists can be created for each of the following types: IPv4 access lists, IPv6 access lists, and MAC access lists.
A maximum of 128 control conditions can be registered per access list.
If the registered control conditions are not satisfied, forwarding occurs as usual.

3.2. Applying to the interface

The following table shows how access lists are applied to the interfaces of this product.
Note that only one access list can be applied to an interface.

Access list type

LAN port

VLAN interface

Logical interface

in

out

in

out

in

out

IPv4 access list

Yes

No

No

No

No

No

IPv6 access list

Yes

No

No

No

No

No

MAC access list

Yes

No

No

No

No

No

The number of access lists that can be applied to the interface depends on the number of control parameters that are registered in the access lists.
The maximum number of control conditions that can be used in the entire system is 896 for IPv4 and MAC combined, and 384 for IPv6.
Applying an access list to the interface will use resources “equivalent to the number of control conditions that are registered in the access list”.

3.3. LAN port settings

The steps for applying access lists to LAN ports are shown below.

  1. Decide on the filtering parameters, and generate the access list.

    • Add a name if necessary.

  2. Check the access list.

  3. Apply the access list to the LAN port.

  4. Check the applied access list.

A list of operation commands is given below.

  • Access list operation commands

    Access list type Generate access list Check access list Apply access list Check applied access list

    IPv4 access list

    access-list

    show access-list

    access-group

    show access-group

    IPv6 access list

    access-list

    show access-list

    access-group

    show access-group

    MAC access list

    access-list

    show access-list

    access-group

    show access-group

4. Related Commands

Related commands are indicated below.
For details on the commands, refer to the Command Reference.

Operations Operating commands

Generate IPv4 access list

access-list

Add comment to IPv4 access list

access-list description

Apply IPv4 access list

access-group

Generate IPv6 access list

access-list

Add comment to IPv6 access list

access-list description

Apply IPv6 access list

access-group

Generate MAC access list

access-list

Add comment to MAC access list

access-list description

Apply MAC access list

access-group

Show generated access list

show access-list

Show access list applied to interface

show access-group

5. Examples of Command Execution

5.1. IPv4 access list settings

■ Specify host

Set LAN port #1 so that it only allows access from host: 192.168.1.1.
The access list ID to be used is #123, and the access list name IPV4-ACL-EX is added.

  1. Generate and confirm access list #123.

    Yamaha(config)#access-list 123 permit host 192.168.1.1 (1)
    Yamaha(config)#access-list 123 deny any
    Yamaha(config)#access-list 123 description IPV4-ACL-EX (2)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list 123 (3)
    IPv4 access list 123
        10 permit host 192.168.1.1
        20 deny any
    Yamaha#
    1 Generate access list
    2 Name access list
    3 Check access list
  2. Apply access list #123 to LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#access-group 123 in (1)
    Yamaha(config-if)#end
    Yamaha#
    Yamaha#show access-group (2)
    Interface port1.1 : IPv4 access group 123 in
    1 Apply access list
    2 Check access list settings

■ Specify network

Set LAN port #1 so that it only allows access from network: 192.168.1.0/24.
The access list ID to be used is #123, and the access list name IPV4-ACL-EX is added.

  1. Generate and confirm access list #123.

    Yamaha(config)#access-list 123 permit 192.168.1.0 0.0.0.255 (1)
    Yamaha(config)#access-list 123 deny any
    Yamaha(config)#access-list 123 description IPV4-ACL-EX (2)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show ip access-list (3)
    IPv4 access list 123
        10 permit 192.168.1.0/24
        20 deny any
    Yamaha#
    1 Generate access list
    2 Name access list
    3 Check ACL
  2. Apply access list #123 to LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#access-group 123 in (1)
    Yamaha(config-if)#end
    Yamaha#
    Yamaha#show access-group (2)
    Interface port1.1 : IPv4 access group 123 in
    1 Apply access list
    2 Check access list settings

5.2. IPv6 access list settings

■ Specify host

Set LAN port #1 so that it only allows access from host: 2001:db8::1.
The access list ID to be used is #3001, and the access list name is IPV6-ACL-EX.

  1. Generate and confirm access list #3001.

    Yamaha(config)#access-list 3001 permit 2001:db8::1/128 (1)
    Yamaha(config)#access-list 3001 deny any
    Yamaha(config)#access-list 3001 description IPV6-ACL-EX (2)
    Yamaha(config)#end
    
    Yamaha# show access-list 3001 (3)
    IPv6 access list 3001
        10 permit 2001:db8::1/128
        20 deny any
    1 Generate access list
    2 Name access list
    3 Check access list
  2. Apply access list #3001 to LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#access-group 3000 in (1)
    Yamaha(config-if)#end
    Yamaha#
    Yamaha#show access-group (2)
    Interface port1.1 : IPv6 access group 3001 in
    1 Apply access list
    2 Check access list settings

■ Specify network

Set LAN port #1 so that it only allows access from network: 2001:db8::/64.
The access list ID to be used is #3001, and the access list name is IPV6-ACL-EX.

  1. Generate and confirm access list #3001.

    Yamaha(config)#access-list 3001 permit 2001:db8::/64 (1)
    Yamaha(config)#access-list 3001 deny any
    Yamaha(config)#access-list 3001 description IPV6-ACL-EX (2)
    Yamaha(config)#end
    
    Yamaha# show access-list 3001 (3)
    IPv6 access list 3001
        10 permit 2001:db8::/64
        20 deny any
    1 Generate access list
    2 Name access list
    3 Check access list
  2. Apply access list #3001 to LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#access-group 3001 in (1)
    Yamaha(config-if)#end
    Yamaha#
    Yamaha#show access-group (2)
    Interface port1.1 : IPv6 access group 3001 in
    1 Apply access list
    2 Check access list settings

5.3. MAC access list settings

■ Specify host

Set LAN port #1 so that it only denies access from host: 00-A0-DE-12-34-56 and allows all others.
ID #2001 and the access list name MAC-ACL-EX are added for the access list used.

  1. Generate and confirm access list #2001.

    Yamaha(config)#access-list 2001 deny host 00a0.de12.3456 (1)
    Yamaha(config)#access-list 2001 description MAC-ACL-EX (2)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list 2001 (3)
    MAC access list 2001
        10 deny host 00A0.DE12.3456
    1 Generate access list
    2 Set access list name
    3 Check access list
  2. Apply access list #2001 to LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#access-group 2001 in (1)
    Yamaha(config-if)#end
    Yamaha#
    Yamaha#show access-group (2)
    Interface port1.1 : MAC access group 2001 in
    1 Apply access list
    2 Check access list settings

■ Specify vendor

Set LAN port #1 so that it only denies access from vendor code: 00-A0-DE---* (00-A0-DE-00-00-00 to 00-A0-DE-FF-FF-FF) and allows all others.
ID #2001 and the access list name MAC-ACL-EX are added for the access list used.

  1. Generate and confirm access list #2001.

    Yamaha(config)#access-list 2001 deny 00a0.de00.0000 0000.00ff.ffff (1)
    Yamaha(config)#access-list 2001 description MAC-ACL-EX (2)
    Yamaha(config)#end
    Yamaha#
    Yamaha#show access-list 2001 (3)
    MAC access list 2001
        10 deny 00A0.DE00.0000 0000.00FF.FFFF
    1 Generate access list
    2 Set access list name
    3 Check access list
  2. Apply access list #2001 to LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#access-group 2001 in (1)
    Yamaha(config-if)#end
    Yamaha#
    Yamaha#show access-group (2)
    Interface port1.1 : MAC access group 2001 in
    1 Apply access list
    2 Check access list settings

6. Points of Caution

  • If access lists are applied to LAN ports belonging to a logical interface, the settings applied to the port with the lowest port number of the logical interface will also be applied to the other ports belonging to that logical interface.