Ubiquiti EdgeSwitch ES-24-250W Administration Manual page 236

EdgeSwitch Administration Guide
™
Field
IP DSCP
Routing
Match Criteria (MAC ACLs) – The fields in this section specify the criteria to use to determine whether an Ethernet frame matches the
rule. The fields described below apply to MAC ACLs.
Every
CoS
Ethertype
Source MAC Address /
Mask
Destination MAC
Address / Mask
VLAN
Rule Attributes – The fields in this section provide information about the actions to take on a frame or packet that matches the rule
criteria. The attributes specify actions other than the basic Permit or Deny actions.
Assign Queue
Interface
Log
Time Range Name
Committed Rate / Burst
Size
Use the buttons to perform the following tasks:
• To add an ACL rule entry, select the ID of the ACL that will include the rule from the ACL Identifier drop-
down menu. Then, click Add Rule and configure the rule criteria and attributes (new rules cannot be
created if the maximum number of rules has been reached). Finally, click Submit to apply the changes.
• To remove the most recently configured rule for an ACL, select the ID of the appropriate ACL from the ACL
Identifier menu and click Remove Last Rule. You must confirm the action before the entry is deleted.
• Click Refresh to refresh the page with the most current data from the switch.
To retain the changes across the switch's next power cycle, click System > Configuration Storage > Save.
Ubiquiti Networks, Inc.
Access Control List Configuration Fields (Continued)
Description
The IP DSCP value in the IPv6 packet to match to the rule. The DSCP value is defined as the high-order
six bits of the Service Type octet in the IPv6 header.
IPv6 ACL rule to match on routed packets.
When this option is selected, all packets will match the rule and will be either permitted or denied.
This option is exclusive to all other match criteria – if Every is selected, no other match criteria can be
configured. To configure specific match criteria, this option must be cleared.
The 802.1p user priority value to match within the Ethernet frame.
The EtherType value to match in an Ethernet frame. Specify the number associated with the EtherType
or specify one of the following keywords: AppleTalk, ARP, IBM SNA, IPv4, IPv6, IPX, MPLS, Unicast,
NETBIOS, NOVELL, PPPoE, or RARP.
The MAC address to match to an Ethernet frame's source port MAC address. If desired, enter the MAC
mask associated with the source MAC to match. The MAC address mask specifies which bits in the
source MAC to compare against an Ethernet frame, and uses F's and 0's in a wildcard format. An F
means that the bit is not checked, and a 0 in a bit position means that the data must equal the value
given for that bit. For example, if the MAC address is aa:bb:cc:dd:ee:ff, and the mask is 00:00:ff:ff:ff:ff, all
MAC addresses with aa:bb:xx:xx:xx:xx result in a match (where x is any hexadecimal number).
The MAC address to match to an Ethernet frame's destination port MAC address. If desired, enter the
MAC Mask associated with the destination MAC to match. The MAC address mask specifies which bits
in the destination MAC to compare against an Ethernet frame. Use F's and 0's in the MAC mask, which
is in a wildcard format. An F means that the bit is not checked, and a 0 in a bit position means that the
data must equal the value given for that bit. For example, if the MAC address is aa:bb:cc:dd:ee:ff, and
the mask is 00:00:ff:ff:ff:ff, all MAC addresses with aa:bb:xx:xx:xx:xx result in a match (where x is any
hexadecimal number).
The VLAN ID to match within the Ethernet frame.
The number that identifies the hardware egress queue that will handle all packets matching this rule.
The interface to use for the action:
• Redirect Allows traffic that matches a rule to be redirected to the selected interface instead of being
processed on the original port. The redirect function and mirror function are mutually exclusive.
Mirror
• Allows traffic that matches a rule to be mirrored to a selected interface. Mirroring is similar
to the redirect function, except that in flow-based mirroring a copy of the permitted traffic is
delivered to the mirror interface while the packet itself is forwarded normally through the device.
When this option is selected, logging is enabled for this ACL rule (subject to resource availability in
the device). If the Access List Trap Flag is also enabled, this will cause periodic traps to be generated
indicating the number of times this rule went into effect during the current report interval. A fixed 5
minute report interval is used for the entire system. A trap is not issued if the ACL rule hit count is zero
for the current interval.
The name of the time range that will impose a time limitation on the ACL rule. If a time range with the
specified name does not exist, and the ACL containing this ACL rule is associated with an interface,
the ACL rule is applied immediately. If a time range with specified name exists, and the ACL containing
this ACL rule is associated with an interface, the ACL rule is applied when the specified time-range
becomes active. The ACL rule is removed when the specified time-range with becomes inactive.
The allowed transmission rate for frames on the interface (Committed Rate), and the number of bytes
allowed in a temporary traffic burst (Burst Rate).
Configuring Quality of Service
235