Switches: Access control lists
Topic
This article describes how to implement MAC and IPv4-based access control lists (ACLS) on Datto switches.
Environment
- Datto Network Manager
Description
Access Control Lists (ACLs) let you set rules that tell a switch when to allow or drop a given packet based on its MAC address or IP address.
- Datto switches allow for multiple ACLs, with various rules (Access Control List Entries) within each ACL.
- The ACL name identifies each ACL. All the individual entries within the same ACL use the same ACL name.
- Up to 3000 total ACL entries are supported, with up to 256 entries per ACL.
Navigating to ACL options
1. In Datto Network Manager's Navigation menu, click Switches, then click Switch Settings from the expanded options.
2. On the Switch Settings page, click Access Control List (ACL) to expand ACL options.
Figure 2: The Switch Settings page
Creating MAC-based ACLS
1. In the MAC Based section of the Access Control List (ACL) card, click the ADD NEW button.
2. An ACL creation dialog box will appear. Enter the following information:
- New ACL Name: Enter the name of your ACL. If an existing ACL is present on the switch, you can either add an entry to that ACL or create a new one. You cannot rename an ACL once you create it.
- Sequence: The switch will process multiple entries in an ACL in order based on this number. The sequence number cannot be modified once created. The ACL must be deleted and recreated.
- Action: Specify whether to permit or deny packets associated with the MAC addresses defined in this ACL.
- Source MAC: Specify the source MAC address of the incoming packet. Choose Custom to enter a specific MAC address. To specify a wildcard, use the * symbol. Enter Any in the text field or leave the field following Custom blank to apply to all MAC addresses.
- Destination MAC: Specify the destination MAC address of the incoming packet. Choose Custom to enter a specific MAC address. To specify a wildcard, use the * symbol. Enter Any in the text field or leave the field following Custom blank to apply to all MAC addresses.
When finished, click the Create button.
Figure 4: The Create MAC ACL Entry dialog box
Creating IPv4-based ACLS
1. In the IPv4 Based section of the Access Control List (ACL) card, click the ADD NEW button.
2. An ACL creation dialog box will appear. Enter the following information:
- New ACL Name: Enter the name of your ACL. If an existing ACL is present on the switch, you can either add an entry to that ACL or create a new one. You cannot rename an ACL once you create it.
- Sequence: The switch will process multiple entries in an ACL in order based on this number. The sequence number cannot be modified once created. The ACL must be deleted and recreated.
- Action: Specify whether to permit or deny packets associated with the MAC addresses defined in this ACL.
- Protocol: Specify whether to act on TCP, UDP, or all packets associated with the IP addresses defined in this ACL.
- Action: Specify whether to permit or deny packets associated with the IP addresses defined in this ACL.
- Source IP: Specify the source IP address of the incoming packet. Choose Custom to enter a specific IP address. To specify a wildcard, use the * symbol. Enter Any in the text field or leave the field following Custom blank to apply to all IP addresses
- Destination IP: Specify the destination IP address of the incoming packet. Choose Custom to enter a specific IP address. To specify a wildcard, use the * symbol. Enter Any in the text field or leave the field following Custom blank to apply to all IP addresses.
When finished, click the Create button.
Applying ACL settings
After creating an ACL, you must apply it to the appropriate port on the switch.
1. In the Navigation menu, click Port Settings under expanded switch options.
Figure 6: Port Settings in the Navigation menu
2. Click the port to which you wish to apply the ACL, then click Security in port settings and choose your ACL from the drop-down menu. When finished, click Save Changes.