Ubiquiti EdgeSwitch ES-24-250W Administration Manual page 234

EdgeSwitch Administration Guide
™
Field
Add IPv4 ACL Rule window fields – After you click Add Rule, this window opens, allowing you to add a rule to the ACL selected in the
ACL Identifier field. The fields available in the window depend on the ACL Type. The following information describes the fields in this
window. The Match Criteria tables that apply to IPv4 ACLs, IPv6 ACLs, and MAC ACLs are described separately.
Match Criteria (IPv4 ACLs) – Fields in this section specify the criteria to use to determine whether an IP packet matches the rule.
Note: The fields described below apply to IPv4 Standard, IPv4 Extended, and IPv4 Named ACLs, except those marked with an
asterisk (*)which apply to IPv4 Extended and IPv4 Named ACLs only.
Every
Protocol*
Fragments*
Source IP Address /
Wildcard Mask
Source L4 Port*
Destination IP Address /
Wildcard Mask
Destination L4 Port*
IGMP Type*
ICMP Type *
ICMP Code*
ICMP Message*
TCP Flags*
Ubiquiti Networks, Inc.
Access Control List Configuration Fields (Continued)
Description
When this option is selected, all packets will match the rule and will be either permitted or denied.
This option is exclusive to all other match criteria – if Every is selected, no other match criteria can be
configured. To configure specific match criteria, this option must be cleared.
The IANA-assigned protocol number to match within the IP packet. You can also specify one of the
following keywords: EIGRP, GRE, ICMP, IGMP, IP, IPINIP, OSPF, PIM, TCP, or UDP.
IP ACL rule to match on fragmented IP packets.
The source port IP address in the packet and source IP wildcard mask (in the second field) to compare
to the IP address in a packet header. Wild card masks determines which bits in the IP address are used
and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is important.
A wildcard of 0.0.0.0 indicates that all of the bits are important. Wildcard masking for ACLs operates
differently from a subnet mask. A wildcard mask is in essence the inverse of a subnet mask. With a
subnet mask, the mask has ones (1's) in the bit positions that are used for the network address, and has
zeros (0's) for the bit positions that are not used. In contrast, a wildcard mask has (0's) in a bit position
that must be checked. A '1' in a bit position of the ACL mask indicates the corresponding bit can be
ignored. This field is required when you configure a source IP address.
The TCP/UDP source port to match in the packet header. The Source L4 Port and Destination L4 port
are configurable only if protocol is either TCP or UDP. Equal to, Not Equal to, Greater than, and Less than
options are available.
For TCP protocol: BGP, Domain, Echo, FTP, FTP-Data, HTTP, SMTP, Telnet, WWW, POP2, or POP3.
For UDP protocol: Domain, Echo, NTP, RIP, SNMP, TFTP, Time, or WHO.
The destination port IP address in the packet and destination IP wildcard mask (in the second field) to
compare to the IP address in a packet header. Wild card masks determines which bits in the IP address
are used and which bits are ignored. A wild card mask of 255.255.255.255 indicates that no bit is
important. A wildcard of 0.0.0.0 indicates that all of the bits are important. Wildcard masking for ACLs
operates differently from a subnet mask. A wildcard mask is in essence the inverse of a subnet mask.
With a subnet mask, the mask has ones (1's) in the bit positions that are used for the network address,
and has zeros (0's) for the bit positions that are not used. In contrast, a wildcard mask has (0's) in a bit
position that must be checked. A 1 in a bit position of the ACL mask indicates the corresponding bit
can be ignored. This field is required when you configure a destination IP address.
The TCP/UDP destination port to match in the packet header. The Source L4 Port and Destination L4
port are configurable only if protocol is either TCP or UDP. Equal to, Not Equal to, Greater than, and
Less than options are available.
For TCP protocol: BGP, Domain, Echo, FTP, FTP-Data, HTTP, SMTP, Telnet, WWW, POP2, or POP3.
For UDP protocol: Domain, Echo, NTP, RIP, SNMP, TFTP, Time, or WHO.
IP ACL rule to match on the specified IGMP message type. Available only if the protocol is IGMP.
IP ACL rule to match on the specified ICMP message type. Available only if the protocol is ICMP.
IP ACL rule to match on the specified ICMP message code. Available only if the protocol is ICMP.
IP ACL rule to match on the ICMP message type and code. Available only if the protocol is ICMP.
Specify one of the following supported ICMP messages: Echo, Echo-Reply, Host-Redirect, Mobile-
Redirect, Net-Redirect, Net-Unreachable, Redirect, Packet-Too-Big, Port-Unreachable, Source-Quench,
Router-Solicitation, Router-Advertisement, Time-Exceeded, TTL-Exceeded, and Unreachable.
IP ACL rule to match on the TCP flags. Available only if the protocol is TCP.
When a + flag is specified, a match occurs if the flag is set in the TCP header. When a - flag is specified,
a match occurs if the flag is not set in the TCP header. When Established is specified, a match occurs if
either RST or ACK bits are set in the TCP header.
Configuring Quality of Service
233