ACL
ACL
1. Function Overview
The access list (ACL) is a conditional statement that determines whether to permit or to deny the frame.
If the access list is applied to the interface, the permitted frames and frames not matching the conditions will be transferred, and the denied frames will be discarded.
As this allows for only specified frames to be selected for transfer, this feature is primarily used for security purposes.
This product supports three access list types, as shown in the table below.
-
Access list type
Access list type Deciding criteria Access list ID Purpose of use IPv4 access list
Source IPv4 address
1–2000
Filters access from specific hosts and networks.
IPv6 access list
Source IPv6 address
3001–4000
Filters access from specific hosts and networks.
MAC access list
Source MAC address
2001–3000
Filters access from specific devices.
2. Definition of Terms Used
ACL
Abbreviation of “Access Control List”.
Wildcard mask
Information that specifies which portion of the specified IPv4 address or MAC address is read. This is used when specifying a range of IPv4 addresses or MAC addresses as ACL conditions.
-
When the wildcard mask bit is “0”: check the corresponding bit
-
When the wildcard mask bit is “1”: do not check the corresponding bit
Examples of settings using wildcard masks are shown below. (The underlined portion is the wildcard mask.)
-
To specify conditions for subnet 192.168.1.0/24: 192.168.1.0 0.0.0.255 (specified in decimal)
-
To specify conditions for vendor code 00-A0-DE---*: 00A0.DE00.0000 0000.00FF.FFFF (specified in hexadecimal)
3. Function Details
3.1. Generate access list
A maximum of 28 access lists can be created for each of the following types: IPv4 access lists, IPv6 access lists, and MAC access lists.
A maximum of 128 control conditions can be registered per access list.
If the registered control conditions are not satisfied, forwarding occurs as usual.
3.2. Applying to the interface
The following table shows how access lists are applied to the interfaces of this product.
Note that only one access list can be applied to an interface.
Access list type |
LAN port |
VLAN interface |
Logical interface |
|||
---|---|---|---|---|---|---|
in |
out |
in |
out |
in |
out |
|
IPv4 access list |
Yes |
No |
No |
No |
No |
No |
IPv6 access list |
Yes |
No |
No |
No |
No |
No |
MAC access list |
Yes |
No |
No |
No |
No |
No |
The number of access lists that can be applied to the interface depends on the number of control parameters that are registered in the access lists.
The maximum number of control conditions that can be used in the entire system is 896 for IPv4 and MAC combined, and 384 for IPv6.
Applying an access list to the interface will use resources “equivalent to the number of control conditions that are registered in the access list”.
3.3. LAN port settings
The steps for applying access lists to LAN ports are shown below.
-
Decide on the filtering parameters, and generate the access list.
-
Add a name if necessary.
-
-
Check the access list.
-
Apply the access list to the LAN port.
-
Check the applied access list.
A list of operation commands is given below.
-
Access list operation commands
Access list type Generate access list Check access list Apply access list Check applied access list IPv4 access list
access-list
show access-list
access-group
show access-group
IPv6 access list
access-list
show access-list
access-group
show access-group
MAC access list
access-list
show access-list
access-group
show access-group
4. Related Commands
Related commands are indicated below.
For details on the commands, refer to the Command Reference.
Operations | Operating commands |
---|---|
Generate IPv4 access list |
access-list |
Add comment to IPv4 access list |
access-list description |
Apply IPv4 access list |
access-group |
Generate IPv6 access list |
access-list |
Add comment to IPv6 access list |
access-list description |
Apply IPv6 access list |
access-group |
Generate MAC access list |
access-list |
Add comment to MAC access list |
access-list description |
Apply MAC access list |
access-group |
Show generated access list |
show access-list |
Show access list applied to interface |
show access-group |
5. Examples of Command Execution
5.1. IPv4 access list settings
■ Specify host
Set LAN port #1 so that it only allows access from host: 192.168.1.1.
The access list ID to be used is #123, and the access list name IPV4-ACL-EX is added.
-
Generate and confirm access list #123.
Yamaha(config)#access-list 123 permit host 192.168.1.1 (1) Yamaha(config)#access-list 123 deny any Yamaha(config)#access-list 123 description IPV4-ACL-EX (2) Yamaha(config)#end Yamaha# Yamaha#show access-list 123 (3) IPv4 access list 123 10 permit host 192.168.1.1 20 deny any Yamaha#
1 Generate access list 2 Name access list 3 Check access list -
Apply access list #123 to LAN port #1.
Yamaha(config)#interface port1.1 Yamaha(config-if)#access-group 123 in (1) Yamaha(config-if)#end Yamaha# Yamaha#show access-group (2) Interface port1.1 : IPv4 access group 123 in
1 Apply access list 2 Check access list settings
■ Specify network
Set LAN port #1 so that it only allows access from network: 192.168.1.0/24.
The access list ID to be used is #123, and the access list name IPV4-ACL-EX is added.
-
Generate and confirm access list #123.
Yamaha(config)#access-list 123 permit 192.168.1.0 0.0.0.255 (1) Yamaha(config)#access-list 123 deny any Yamaha(config)#access-list 123 description IPV4-ACL-EX (2) Yamaha(config)#end Yamaha# Yamaha#show ip access-list (3) IPv4 access list 123 10 permit 192.168.1.0/24 20 deny any Yamaha#
1 Generate access list 2 Name access list 3 Check ACL -
Apply access list #123 to LAN port #1.
Yamaha(config)#interface port1.1 Yamaha(config-if)#access-group 123 in (1) Yamaha(config-if)#end Yamaha# Yamaha#show access-group (2) Interface port1.1 : IPv4 access group 123 in
1 Apply access list 2 Check access list settings
5.2. IPv6 access list settings
■ Specify host
Set LAN port #1 so that it only allows access from host: 2001:db8::1.
The access list ID to be used is #3001, and the access list name is IPV6-ACL-EX.
-
Generate and confirm access list #3001.
Yamaha(config)#access-list 3001 permit 2001:db8::1/128 (1) Yamaha(config)#access-list 3001 deny any Yamaha(config)#access-list 3001 description IPV6-ACL-EX (2) Yamaha(config)#end Yamaha# show access-list 3001 (3) IPv6 access list 3001 10 permit 2001:db8::1/128 20 deny any
1 Generate access list 2 Name access list 3 Check access list -
Apply access list #3001 to LAN port #1.
Yamaha(config)#interface port1.1 Yamaha(config-if)#access-group 3000 in (1) Yamaha(config-if)#end Yamaha# Yamaha#show access-group (2) Interface port1.1 : IPv6 access group 3001 in
1 Apply access list 2 Check access list settings
■ Specify network
Set LAN port #1 so that it only allows access from network: 2001:db8::/64.
The access list ID to be used is #3001, and the access list name is IPV6-ACL-EX.
-
Generate and confirm access list #3001.
Yamaha(config)#access-list 3001 permit 2001:db8::/64 (1) Yamaha(config)#access-list 3001 deny any Yamaha(config)#access-list 3001 description IPV6-ACL-EX (2) Yamaha(config)#end Yamaha# show access-list 3001 (3) IPv6 access list 3001 10 permit 2001:db8::/64 20 deny any
1 Generate access list 2 Name access list 3 Check access list -
Apply access list #3001 to LAN port #1.
Yamaha(config)#interface port1.1 Yamaha(config-if)#access-group 3001 in (1) Yamaha(config-if)#end Yamaha# Yamaha#show access-group (2) Interface port1.1 : IPv6 access group 3001 in
1 Apply access list 2 Check access list settings
5.3. MAC access list settings
■ Specify host
Set LAN port #1 so that it only denies access from host: 00-A0-DE-12-34-56 and allows all others.
ID #2001 and the access list name MAC-ACL-EX are added for the access list used.
-
Generate and confirm access list #2001.
Yamaha(config)#access-list 2001 deny host 00a0.de12.3456 (1) Yamaha(config)#access-list 2001 description MAC-ACL-EX (2) Yamaha(config)#end Yamaha# Yamaha#show access-list 2001 (3) MAC access list 2001 10 deny host 00A0.DE12.3456
1 Generate access list 2 Set access list name 3 Check access list -
Apply access list #2001 to LAN port #1.
Yamaha(config)#interface port1.1 Yamaha(config-if)#access-group 2001 in (1) Yamaha(config-if)#end Yamaha# Yamaha#show access-group (2) Interface port1.1 : MAC access group 2001 in
1 Apply access list 2 Check access list settings
■ Specify vendor
Set LAN port #1 so that it only denies access from vendor code: 00-A0-DE---* (00-A0-DE-00-00-00 to 00-A0-DE-FF-FF-FF) and allows all others.
ID #2001 and the access list name MAC-ACL-EX are added for the access list used.
-
Generate and confirm access list #2001.
Yamaha(config)#access-list 2001 deny 00a0.de00.0000 0000.00ff.ffff (1) Yamaha(config)#access-list 2001 description MAC-ACL-EX (2) Yamaha(config)#end Yamaha# Yamaha#show access-list 2001 (3) MAC access list 2001 10 deny 00A0.DE00.0000 0000.00FF.FFFF
1 Generate access list 2 Set access list name 3 Check access list -
Apply access list #2001 to LAN port #1.
Yamaha(config)#interface port1.1 Yamaha(config-if)#access-group 2001 in (1) Yamaha(config-if)#end Yamaha# Yamaha#show access-group (2) Interface port1.1 : MAC access group 2001 in
1 Apply access list 2 Check access list settings
6. Points of Caution
-
If access lists are applied to LAN ports belonging to a logical interface, the settings applied to the port with the lowest port number of the logical interface will also be applied to the other ports belonging to that logical interface.