Managing Access Control Lists
  • 25 Sep 2024
  • 3 Minutes to read
  • Contributors
  • PDF

Managing Access Control Lists

  • PDF

Article summary

You may use an Access Control List (ACL), which is a network access control mechanism, to prevent or allow specific MAC or IP addresses to access the Cisco Provider Connectivity Assurance Sensor Control for management purposes.

You can create up to 10 lists, and each list can contain up to 40 rules. Each rule allows or blocks addresses. Rules are ranked using the Priority field, with the rule configured with the highest priority applied first.

We recommend setting the priorities so the most restrictive rules are performed first. For example, a high-priority rule could grant access to a specific IP address within a subnet, and the next rule could deny access to the whole subnet, thus blocking all remaining IP addresses from that subnet. Another example would be to first deny access to subnet 10.10.10.0/26, then allow access to subnet 10.10.0.0/16.


Note: Once all rules have executed, all remaining frames are dropped (this is the default rule). You must therefore ensure the addresses you want to allow are accepted by at least one rule of the ACL.

Once the ACL is created, you can then assign it to one or more interfaces. On each interface you can also select the type of protocol (CLI [SSH and Telnet], WEB, SNMP) to which the ACL applies. Refer to the article "Configuring Logical Interfaces".


CAUTION: If you assign a rule to an interface, you or another user may lose access to the Sensor Control.


Note: ACLs apply to local interfaces only.

Setting Up an ACL

▶ To set up an ACL

  1. Access the page System ▶ACL.
    A summary of all lists that have been configured is displayed. For more information on specific parameters, refer to the table at the end of this procedure.

  2. Click Add to add a new ACL, or click the Name of an existing ACL to edit its settings.

  3. Complete the required fields, then click Apply.
    For more information on specific parameters, refer to the following table.

ACL Definition Summary (System ▶ ACL)

ParameterDescription
NameThe name of the ACL list.
StateThe state of the list:<UL
  • Assigned: The list is used by at least one interface.
  • Unassigned: The list is not currently used by an interface.
  • Interface listNames of the interfaces using this list.

    Clicking on an interface name will open the ACL statistics, showing the number of packets hit, on a per-rule basis, for this specific interface.

    ACL Definition

    ParameterDescription
    TypeThe type of ACL list:
    • ipsrc: IPv4 and IPv6 address values are filtered.
    • macsrc: MAC address values are filtered.
    ValueThe source addresses (IP or MAC) to filter. IP addresses can be entered using a subnet mask.

    If the Type is ipsrc:

    • Unique IPv4 address (ex: 192.168.0.100)
    • IPv4 subnet (ex: 192.0.2.0/24)

    If Type is macsrc:

    • Unique MAC address
    ActionThe filter action to take:
    • Drop: This rule drops CPU-destined frames/packets coming from the address specified in the field Value.
    • Accept: This rule accepts CPU-destined frames/packets coming from the address specified in the Value field.
    Note: Frames/packets that are dropped from a higher-priority rule cannot be recovered with an Accept rule.
    NameThe name of the rule.
    PriorityThe priority of the rule.

    Range: 1-255 (1 is the highest priority)

    StateEnable or disable the rule.
    PacketsThe number of packets that have been intercepted by the rule:
    • If the Action is set to Accept for this rule, the number of packets accepted and sent to the CPU for processing.
    • If the Action is set to Drop for this rule, the number of packets dropped.

    Deleting an ACL

    ▶ To delete an ACL

    1. Access the page System ▶ ACL.

    2. Click the ACL Name to delete.

    3. Click Delete.

    ▶ To view ACL statistics for each interface

    1. Access the page System ▶ ACL.

    2. Click the name of the interface in the Interface List.
      A count of Packets for each ACL rule defined is displayed. The Default Dropped Packets statistic (i.e., associated with the default rule) is displayed at the top of the page. For more information on specific parameters, refer to the table "ACL Definition Summary (System ▶ ACL)".

    3. To clear the statistics, click the Clear button.

    4. To update the statistics, click the Refresh button.

    © 2024 Cisco and/or its affiliates. All rights reserved.
     
    For more information about trademarks, please visit: Cisco trademarks
    For more information about legal terms, please visit: Cisco legal terms

    For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks



    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.