Connectivity Guide
• Source and destination UDP port number
For ACL, TCP, and UDP lters, match criteria on specic TCP or UDP ports. For ACL TCP lters, you can also match criteria on established
TCP sessions.
When creating an ACL, the sequence of the lters is important. You can assign sequence numbers to the lters as you enter them or OS10
can assign numbers in the order you create the lters. The sequence numbers display in the show running-configuration and
show ip access-lists [in | out] command output.
Ingress and egress hot-lock ACLs allow you to append or delete new rules into an existing ACL without disrupting trac ow. Existing
entries in the content-addressable memory (CAM) shue to accommodate the new entries. Hot-lock ACLs are enabled by default and
support ACLs on all platforms.
NOTE: Hot-lock ACLs support ingress ACLs only.
MAC ACLs
MAC ACLs lter trac on the header of a packet. This trac ltering is based on:
Source MAC packet
address
MAC address range—address mask in 3x4 dotted hexadecimal notation, and any to denote that the rule matches
all source addresses.
Destination MAC
packet address
MAC address range—address-mask in 3x4 dotted hexadecimal notation, and any to denote that the rule matches
all destination addresses.
Packet protocol Set by its EtherType eld contents and assigned protocol number for all protocols.
VLAN ID Set in the packet header
Class of service Present in the packet header
IPv4/IPv6 and MAC ACLs apply separately for inbound and outbound packets. You can assign an interface to multiple ACLs, with a limit of
one ACL per packet direction per ACL type.
Control-plane ACLs
OS10 oers control-plane ACLs to selectively restrict packets that are destined to the CPU port, thereby providing increased security.
Control-plane ACLs oer:
• An option to protect the CPU from denial of service (DoS) attacks.
• Fine-grained control to allow or block trac going to the CPU.
Control-plane ACLs apply on the front-panel and management ports. Control-plane ACLs are one of the following types:
• IP ACL
• IPv6 ACL
• MAC ACL
NOTE
: MAC ACL is applied only on packets that enter through the front-panel ports.
There is no implicit deny rule. If none of the congured conditions match, the default behavior is to permit. If you need to deny trac that
does not match any of the congured conditions, explicitly congure a deny statement.
The control-plane ACL is mutually exclusive with VTY ACL, the management ACL. VTY ACL provides secure access for session connection
protocols, such as SSH or TELNET; however, control-plane ACLs permit or deny any TCP or UDP, including SSH and TELNET sessions,
from specic hosts and networks, and also lters both IPv4 and IPv6 trac.
Congure control-plane ACL
Access Control Lists
881