• Document Portal
• ››Panorama EMS
• ››EMS WEB EMS User Guide
• ››Profiles

ACL 

ACL profiles can also be used for policing specific flows of interest, limiting the effect of denial-of-service attacks on subscriber endpoints.

ACLs are used in the system to either Deny traffic on a Permit/Open VLAN or used to Accept or Permit traffic on a Default Deny VLAN. A default Permit VLAN will permit traffic to flow unless blocked by a Deny ACL. A default deny VLAN will drop all traffic except that which is allowed via a permit. 

 

In many installations, the VLAN is set up as a Default Deny which will discard all traffic.  Then common ACLs are used to grant or permit access to certain traffic types.  This is done with Permit ACLs.  

VLAN Configuration/VLAN Posture

To use authentication effectively, the ACL Profile and configurable rules must be initially created. The specified profile can be associated with individual connections. Up to eight rules can be incorporated into each ACL Profile. The profile then applies these rules on a per Network VLAN (N-VLAN) and/or subscriber basis.

In addition, ACLs can be configured in conjunction with the Optical LAN Terminal’s 802.1x authorization system. This allows a user to be bound to a port via the Media Access Control (MAC) address that is learned during the 802.1x Port Authentication process.

Each VLAN has a default posture.  This defines the basic security posture of the VLAN.  The ACL Mode indicates this security posture. The ACL Mode can be one of the following:

• Disable All ACLs - No ACLs are permitted on this VLAN and all packets are permitted to flow across the VLAN.
• Basic ACL Default Deny - By default all packets will be dropped unless explicitly permitted.  ACLs must be used to permit the traffic that is desired to flow on that VLAN.  Basic ACLs are limited to filtering on the source MAC and Source IP address.  LANs by default are created in Disable All ACLs. Use of ACLs requires modification of the ACL Mode.
• Extended Default Deny - By default, all packets on the VLAN will be dropped unless explicitly permitted by an ACL.  Extended ACLs can filter on many of the fields in an IP packet but require more resources and fewer can be created.  An Extended Default Deny VLAN will allow either Basic ACLs or Extended ACLs.
• Extended Default Permit - By default, all packets will flow on the VLAN unless an ACL causes them to be denied.  Both Extended and Basic ACLs are allowed using this VLAN mode.

For proper operation of the ACLs Sticky MAC, Any MAC, Authorized MAC and Static MAC discussed above, the VLAN must be set up to be a default Deny VLAN. Either Extended Default Deny or Basic Default Deny can be used.

Mixing Access Methods on the Same VLAN

Different areas of the network or building may have different access policies based on where the port is located. This can be accommodated by the NAC profile that is assigned to the port. Each NAC profile can have a different access policy which is enforced by the Service Profile’s ACL. 

The example above demonstrates an architecture where the policy/NAC profile can be assigned based on location and used to enforce policy on the same VLAN. This allows for a very flexible architecture which still maintains security. It should be noted that the best policy is often to isolate users to maximize security, but this example shows how a hybrid approach can be used that simplifies network configuration and routing in small networks.

ACL Profile Attributes

The following ACL profile attributes are available for user editing.

 

Rules

Rules are listed in the left-hand column and have three fields available for editing. Select the Rule from the list to edit the rule fields.

• Rule Name - This is a user-supplied name for the filter. This helps define the purpose of the filter. The name must be unique within the ACL filters of a connection. Multiple connections can have the same ACL filter names. 
• ACL Type - Defaulted to Extended ACL:  

• Extended ACL - Extended ACLs allow filtering deeper into the body of the packet and filtering on most of the fields of IPv4, IPv6 and other EtherType packets.

  Note: This setting is determined when ACL Mode for the selected uplink interface is enabled.

• Action - This field determines which action is taken when the filters match.
  • Accept (Permit) - (Implemented as Accept) Forward the packet if it matches the ACL Filter criteria.
  • Drop (Deny) - (Implemented as Drop) Drop the packet if it matches the ACL Filter criteria.
• Extended ACL - Basic ACLs are used to bind a user on a connection to a configured MAC address and/or IP address range or subnet. Extended ACLs allow filtering deeper into the body of the packet and filtering on most of the fields of the IPv4, IPv6 and other EtherType packets. 

Options (Extended ACL)

• 802.1P priority - Packets can be filtered on the 802.1p priority bit that they are marked with. 
• Data Link Flooding (DLF) - Destination Lookup Failure: This filter setting matches packets that are not found in the learned MAC entries. This field is typically only used when policing packets that would normally be flooded to each port due to not having a MAC table entry. 
• IP Protocol - Select one of the following filter Type.
  • IPv4/ARP (0x0800): The filter is designed to match IPv4 packets and ARP packets (EtherTypes 0x800 and 0x806). 
  • IPv6 (0x86dd): The filter applies only to IPv6 packets (EtherType 0x86dd0).
  • ARP (0x0806) - The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address.  
  • EtherType 0x: The user specifies Ether types that should be either Permitted into the network or Denied from the network. 
• Ether Type - Specify a custom Ether Type value to match
  • Go to Ether Type for a list of values

MAC Addresses (Extended ACL)

Ports (Extended ACL)

• Source - CSRC address of the intended receiver (if range is specified). Choose from N/A, Single, or Range.
  • Single - Specify a Source Port.  
  • Range - Specify a Source Port range End.
• Destination - IP address of the intended receiver (if range is specified).  Choose from N/A, Single, or Range 
  • Single - Specify a destination IP Port.  
  • Range - Specify a destination IP Port range End.

Other (Extended ACL)

• Max MAC(s) - This defines the ACL Filter criteria for the maximum number of authorized MACs that are allowed to be authenticated by 802.1x on that port. The 802.1x PAE can be configured to support either a single MAC authorized on the port or multiple MACs can be allowed to be authorized on the port.
• Max IPs Per MAC - Up to 32 IP Addresses or subnets can be specified.  

• Flags - selection of Don't Fragment (DF) or More Fragments (MF)
  • Don't Fragment - Don’t Fragment field of IPv4/IPv6.  
  • More Fragments - More Fragment field of IPv4/IPv6.  
• IP - Indicates IP Type of Service. This field allows filter matching against the DiffServe Code Point (DSCP) or the Type of Service (TOS) bits in IPv4 and IPv6. (The TOS definition is the older definition for this field and is deprecated. DSCP is the typical usage of this field today.) . The value specified must be an exact match. The following values are allowed:
  • N/A - Ignore the DSCP Field.
  • DSCP - The field should be treated as a DSCP value and has an allowed
    • range of 0-63.
  • TOS - This field should be treated as the traditional TOS field of IPv4. Select 0 through 7 from the following:
    • 0 = Routine - Used for all messages that justify transmission by electrical means unless the message delivery is of sufficient urgency to require higher precedence.
    • 1 = Priority - Used for all messages that require expeditious action by the addressee(s) and/or furnish essential information for the conduct of ongoing operations.
    • 2 = Immediate - Reserved for messages relating to situations that gravely affect the security of National/Allied forces or populace.
    • 3 = Flash - Reserved for initial enemy contact messages or operational combat messages of extreme urgency.
    • 4 = Flash override - Reserved for messages relating to the outbreak of hostilities and/or detonation of nuclear devices.
    • 5 = CRITIC/ECP - Stands for "Critical and Emergency Call Processing" and should only be used for authorized emergency communications, for example in the United States Government Emergency Telecommunications Service (GETS), the United Kingdom Government Telephone Preference Scheme (GTPS) and similar government emergency preparedness or reactionary implementations elsewhere.
    • 6 = Internetwork Control - Intended to be used within a network only. The actual use and control of that designation is up to each network.
    • 7 = Network Control - Intended for use by gateway control originators only.

• Protocol - This field allows filtering on specific IP protocols such as TCP, UDP, or any other Protocol value. The following values are allowed:
  • N/A - Ignore the Protocol field.
  • ICMP - Filter match on ICMP packets. 
  • TCP - Filter match on TCP packets.
  • UDP - Filter match on UDP packets.
  • Other - Allows user to specify the Protocol to be filtered. This value is entered as a hexadecimal byte.
• TCP Flags - Filter on specific TCP Flag settings. The following filter selections are available:
  • URGent Pointer - Data is sent out of band.
  • ACKnowledgement - Receiver sends an ACK that equals the senders sequence number plus the Len, or amount of data, at the TCP layer.
  • SYNchronization - Used during session setup to agree on initial sequence numbers. Sequence numbers are random.
  • PuSH - Forces data delivery without waiting for buffers to fill. This is used for interactive traffic. The data is delivered to the application on the receiving end without buffering.
  • ReSeT - An instantaneous abort in both directions (abnormal session disconnection).
  • FINished - Used during a graceful session close to show that the sender has no more data to send.

Rates (Extended ACL)