››

ACL Configurations

The system supports three types of ACLs:

Global ACLs
Card Level ACLs
Service ACLs

Global ACLs are, essentially, a macro or process that allows you to apply a Card Level ACL to all slots within the system. Once the Global ACLs have been completed and applied, the process no longer exists, and the user can only see card-level ACLs. It simply cuts down on the amount of data entry for commonly used card ACLs.

Card Level ACLs are ACLs that are applied to a card and apply to ALL traffic coming from the PON side of that card. Any ACLs that are always present on a VLAN are best created as Card Level ACLs as they use the least resources and allow for greater scalability.

Service Level ACLs are used on services on UNI ports and are applied specifically to that UNI port. They are configured on the service profile and allow for both dynamic behavior when configured by a RADIUS server, and different treatment of different ports on the same VLAN. Service-level ACLs implicitly add the UNI port to the ACL so that they are specific to that port. Service Level ACLs should be used sparingly as they are applied to each UNI port that has that service profile and can quickly consume the ACL resources.

ACL Operation

ACLs are used in the system to either Deny traffic on a Permit/Open VLAN or used to Accept or Permit traffic on a Default Deny VLAN.

In many installations, the VLAN is set up as a Default Deny which will discard all traffic. Then common ACLs are used to grant or permit access to certain traffic types. This is done with Permit ACLs.

VLAN Configuration/VLAN Posture

Each VLAN has a default posture. This defines the basic security posture of the VLAN. The ACL Mode indicates this security posture. The ACL Mode can be one of the following:

Disable All ACLs - No ACLs are permitted on this VLAN and all packets are permitted to flow across the VLAN.
Basic ACL Default Deny - By default, all packets will be dropped unless explicitly permitted. ACLs must be used to permit the traffic that is desired to flow on that VLAN. Basic ACLs are limited to filtering on the source MAC and Source IP address.
Extended Default Deny - By default, all packets on the VLAN will be dropped unless explicitly permitted by an ACL. Extended ACLs can filter many of the fields in an IP packet but require more resources and fewer can be created. An Extended Default Deny VLAN will allow either Basic ACLs or Extended ACLs.
Extended Default Permit - By default, all packets will flow on the VLAN unless an ACL causes them to be denied. Both Extended and Basic ACLs are allowed using this VLAN mode.

For proper operation of the ACLs Sticky MAC, Any MAC, Authorized MAC and Static MAC discussed above, the VLAN must be set up to be a default Deny VLAN. Either Extended Default Deny or Basic Default Deny can be used.

EMS ACL Mode Setup

Open a Panorama PON (EMS) session and click on the Switching icon button and the VLAN properties tab.
Verify the VLAN ACL-mode is in a default mode. Output similar to the following is displayed:
Select Basic ACL Default Deny on the ACL Mode Dropdown, click on the Apply button to activate the ACL properties. Output similar to the following is displayed:

CLI ACL Mode Setup

Note: Go to OLT CLI Manual>CLI Commands>Profiles>ACL for the full list of current ACL profiles.

The CLI vlan edit command can be used to modify the ACL mode of an existing VLAN within the system or the vlan create command to create a new VLAN.

Create new vlan

ESUx> vlan create name=153 <enter>
success.
ESUx> _

Edit acl-mode

SUx> vlan edit name=153 acl-mode=basic <enter>
success.
ESUx> _

Verify vlan acl-mode

SUxC> vlan show (enter>

| VLAN Properties                                                                                 |
|=========|============|=========|=====|============|==========|==================================|
| VLAN    | Bridge     | Bridge  | MST | ACL        |          |                                  |
| Name    | Domain     | Type    | ID  | Mode       | DAI      | User Label (ifAlias)             |
|=========|============|=========|=====|============|==========|==================================|
|   153   | customer   | full    | cist| basic-deny | disabled |                                  |
|  2992   | customer   | full    | cist| disabled   | disabled | MGMT                             |
|  2996   | customer   | full    | cist| disabled   | disabled | CLITest                          |
|=========|============|=========|=====|============|==========|==================================|

ESUx> _

Mixing Access Methods on the Same VLAN

Different areas of the network or building may have different access policies based on where the port is located. This can be accommodated by the NAC profile that is assigned to the port. Each NAC profile can have a different access policy which is enforced by the Service Profile’s ACL.

The example above demonstrates an architecture where the policy/NAC profile can be assigned based on location and used to enforce policy on the same VLAN. This allows for a very flexible architecture which still maintains security. It should be noted that the best policy is often to isolate users to maximize security, but this example shows how a hybrid approach can be used that simplifies network configuration and routing in small networks.

Overview

Access Control List rules are used for security purposes to set restrictions and/or grant permissions for types of data traffic that are disallowed and/or allowed to flow on a port. ACLs can also be used to police specific flows of interest to limit the effect of denial-of-service attacks on subscriber endpoints.

The Tellabs Panorama PON allows the service provider to configure Access Control Lists (ACLs) for the Tellabs 1100 Series GPON system architectures.

Note: ACLs are only supported on N:N Bridged service type connections.

The feature, Global ACL, is used to provide all QOIU cards on a selected OLT to have the same set of filters.

In order to use this feature, ACL Filters, with configurable parameters, must be created. The specified ACL Filters are then associated with individual cross-connects. Up to 8 ACL rules can be associated with each cross-connection. The ACL rules are then applied on a per Network VLAN (N-VLAN) and per subscriber basis.

ACLs can also be configured in conjunction with the 802.1x authorization system of the OLT. This allows a user to be bound to a port via his MAC address that is learned during the 802.1x Port Authentication process.

All ACLs operate on Ingress traffic only (traffic upstream going from the subscriber port toward the network). The Tellabs 1100 Series supports two types of ACL filters:

“Basic ACL Filters”
“Extended ACL Filters”

Basic ACL Filters

Basic ACL filters are small, lightweight ACL filters used to bind a user on a port to a configured MAC address and/or IP address range or subnet. This ACL application behavior utilizes few system resources and is very scalable. Up to 8192 Basic ACL filters can be provisioned on each QOIU7 module (4-port OLT PON module) when ONLY Basic ACLs are used on that VLAN.

Note: To achieve up to 8192 ACL Filter support per 4-port OLT PON card (QOIU7), the VLAN must be configured for Basic ACLs only (in the VLAN Properties Table) and no Extended ACL-type filters can be allowed on that VLAN.

Extended ACL Filters

Extended ACL filters allow filtering deeper into the body of the packet and allow filtering on most of the fields of IPv4, IPv6 and other EtherType packets. Up to 512 Extended ACLs can be created per OLT PON module (QOIU7).

Note: When mixing Basic and Extended ACLs on the same VLAN the total number of Basic and Extended ACLs is constrained by the 512 limit per PON module.

ACL Mode

Each VLAN where ACL filters are enabled has a default rule known in Panorama PON as the ACL Mode. The ACL Mode is placed into the VLAN Properties table in the Switching view for the network element’s Uplinks Interface and associated VLAN and is enforced for that VLAN.

The following list the VLAN ACL Mode Options allowed and the system behavior for the different default ACL Mode options:

Disable All ACLs - ACLs are not enforced on this VLAN. Any traffic for connections configured with this VLAN is allowed by default with no filtering by the system.
Basic ACL Default Deny - Only Basic ACLs are allowed and enforced on the VLAN. Up to 8192 Basic ACLs are allowed per 4 port PON module (QOIU7). Only specific MACs or authenticated 802.1x users are allowed to ingress traffic (send traffic from the subscriber port toward the network) on the connection when they match the Basic ACL Permit Filter criteria. Use this mode if attempting to bind users to a specific connection and not allow generic access. If no Basic ACL Permit Filter(s) are placed on a connection with this VLAN, traffic is disallowed by default.
Extended ACL Default Permit - Basic and Extended ACLs are allowed and enforced on the VLAN. Up to a total of 512 ACLs are allowed per 4-port PON module (QOIU7). Use this rule to allow open access but deny specific types of traffic to the VLAN through the explicit use of Basic or Extended Deny ACL Filter(s). If no ACL Filter(s) are placed on a connection with this VLAN, traffic is allowed by default.
Extended ACL Default Deny - Basic and Extended ACLs are allowed and enforced on the VLAN. Up to a total of 512 ACLs are allowed per 4-port PON module (QOIU7). Use this rule to disallow generic access but permit specific types of traffic for the VLAN through the explicit use of Basic or Extended Permit ACL Filter(s). If no ACL Filter(s) are placed on a connection with this VLAN, traffic is disallowed by default.