Loader

Download the PDF 

Using ACLs

Introduction

Document Number

ENG-010471 Using ACLs

 Purpose

This application note will explain Access Control Lists (ACLs), and the concepts of Sticky MAC, Authorized MACs and Any MACs and their use on the Tellabs OLT.  It will also explain how to combine the services to control access to the system in different ways on different ports via the use of Service profiles.  Also, a list of common ACLs are included to help with ACL creation.

Applies To

This Application Note applies to the 1150, 1134/OLT6, OLT1, OLT2, BOLT and OLT-mini Plus OLTs and ONTs. 

ACL Operation

ACLs are used in the system to either Deny traffic on a Permit/Open VLAN or used to Accept or Permit traffic on a Default Deny VLAN. A default Permit VLAN will permit traffic to flow unless blocked by a Deny ACL. A default deny VLAN will drop all traffic except that which is allowed via a permit.

 

In many installations, the VLAN is set up as a Default Deny which will discard all traffic.  Then common ACLs are used to grant or permit access to certain traffic types.  This is done with Permit ACLs.  

VLAN Configuration/VLAN Posture

Each VLAN has a default posture.  This defines the basic security posture of the VLAN.  The ACL Mode indicates this security posture.  The ACL Mode can be one of the following:

  • Disable All ACLs - No ACLs are permitted on this VLAN and all packets are permitted to flow across the VLAN.
  • Basic ACL Default Deny - By default all packets will be dropped unless explicitly permitted.  ACLs must be used to permit the traffic that is desired to flow on that VLAN.  Basic ACLs are limited to filtering on the source MAC and Source IP address.  LANs by default are created in Disable All ACLs. Use of ACLs requires modification of the ACL Mode
  • Extended Default Deny - By default all packets on the VLAN will be dropped unless explicitly permitted by an ACL.  Extended ACLs can filter on many of the fields in an IP packet but require more resources and fewer can be created.  An Extended Default Deny VLAN will allow either Basic ACLs or Extended ACLs.
  • Extended Default Permit - By default all packets will flow on the VLAN unless an ACL causes them to be denied.  Both Extended and Basic ACLs are allowed using this VLAN mode.

For proper operation of the ACLs Sticky MAC, Any MAC, Authorized MAC and Static MAC discussed above, the VLAN must be set up to be a default Deny VLAN.  Either Extended Default Deny or Basic Default Deny can be used.

EMS ACL Mode Setup

The following examples set up the profile for Common ACLs.

  1.  Open a Panorama PON (EMS) session and click on the Switching icon button and the VLAN properties tab.
  2.  VLANs by default are created in Disable All ACLs. Use of ACLs requires modification of the ACL Mode. Output similar to the following is displayed:


     
  3.  Select Basic ACL Default Deny or one of the other ACLs modes in the ACL Mode Dropdown. Click on the Apply button to activate the ACL properties. Output similar to the following is displayed:

CLI ACL Mode Setup

Note: Go to OLT CLI Manual>CLI Commands>Profiles>ACL for the full list of current ACL profiles.

The CLI vlan edit command can be used to modify the ACL mode of an existing VLAN within the system or the vlan create command to create a new VLAN.

Create new vlan

ESUx> vlan create name=153 <enter>
success.
ESUx> _

Edit acl-mode

ESUx> vlan edit name=153 acl-mode=basic <enter>
success.
ESUx> _

Verify vlan acl-mode

ESUxC> vlan show (enter>

| VLAN Properties                                                                                 |
|=========|============|=========|=====|============|==========|==================================|
| VLAN    | Bridge     | Bridge  | MST | ACL        |          |                                  |
| Name    | Domain     | Type    | ID  | Mode       | DAI      | User Label (ifAlias)             |
|=========|============|=========|=====|============|==========|==================================|
|   153   | customer   | full    | cist| basic-deny | disabled |                                  |
|  2992   | customer   | full    | cist| disabled   | disabled | MGMT                             |
|  2996   | customer   | full    | cist| disabled   | disabled | CLITest                          |
|=========|============|=========|=====|============|==========|==================================|

ESUx> _

Mixing Access Methods on the Same VLAN

Different areas of the network or building may have different Access policies based on where the port is located.  This can be accommodated by the NAC profile that is assigned to the port.  Each NAC profile can have a different access policy which is enforced by the Service Profile’s ACL. 

The example above demonstrates an architecture where the policy/NAC profile can be assigned based on location and used to enforce policy on the same VLAN.  This allows for a very flexible architecture which still maintains security.  It should be noted that the best policy is often to isolate users to maximize security, but this example shows how a hybrid approach can be used that simplifies network configuration and routing in small networks. 

ACL Configurations

Access Control Lists (ACLs) are created and edited by two methods, which are EMS and CLI. 

Basic ACL EMS Procedure

Note: The following procedure will be used as a reference when configuring the Common ACLs. Only the Create rule screen will be shown when creating a Common ACL.
  1. Open a Panorama PON (EMS) session and click on the Profile icon and the ACL tab.  The following screen will be displayed:


     
  1. To create a new profile, click on the Create a New Profile icon.
  2. To edit an existing profile, click on a Profile Name in the Profile Names window and click on the Edit a current profile icon.
  3. Select the EMS ACL, Create a New Profile icon and name the ACL profile to <name>. Output similar to the following is displayed: 


     
  4. Click on the Create Rule button which allows the user to add rules to the ACL profile.  This example shows the creation of a sticky mac by performing the following steps:

Step 1: Enter <i,e. Rule 1> in Rule Name entry box:

Step 2: Select <i.e. Basic ACL> from the ACL Type Dropdown

Step 3: Select <i.e. Permit> from the Action Dropdown

Step 4: Select <i.e. Sticky Mac> from the SourceMAC(s) dropdown

Step 5: Click on the Add button to add the Source MAC to the source window

Step 6: Select the <i.e. Sticky Mac> entry in the Source Window  

Step 7: Enter <i.e. 1> in the Max MAC(s) entry box

Step 8: Click on the Save button to save the rule profile

  1. Click on the Apply button in the Create ACL Profile window to add the ACL profile to the Profile Name window list. This will create the ACL, but the ACL still needs to be assigned to a service profile for it to be used.

  2. After the Profile has been generated, the ACL status is displayed.  Click on the Close button to complete the ACL profile.

Previous  |  Next

 

Allow Specific Host
Allow Specific Subnet
Allow FTP Service
Any MAC
Authorized Mac
Deny DHCP Offers
Deny Specific Host
Deny Telnet Service
Deny FTP Service
Static MAC
Sticky MAC
PVST QOIU7 Filter
  •   © 2025 Tellabs Access, LLC. All rights reserved - A Better Way to Build and Operate Networks.