376| Roles and Policies AOS-W 6.5.3.xî˘î˘| User Guide
You can apply IPv4 and IPv6 firewall policies to the same user role. See IPv6 Support on page 130 for
information about configuring IPv6 firewall policies.
Working With Access Control Lists (ACLs)
Access control lists (ACLs) are a common way of restricting certain types of traffic on a physical port. AOS-W
provides the following types of ACLs:
n Standard ACLs permit or deny traffic based on the source IP address of the packet. Standard ACLS can be
either named or numbered, with valid numbers in the range of 1-99 and 1300-1399. Standard ACLs use a
bitwise mask to specify the portion of the source IP address to be matched.
n Extended ACLs permit or deny traffic based on source or destination IP address, source or destination port
number, or IP protocol. Extended ACLs can be named or numbered, with valid numbers in the range 100-
199 and 2000-2699.
n MAC ACLs are used to filter traffic on a specific source MAC address or range of MAC addresses. Optionally,
you can mirror packets to a datapath or remote destination for troubleshooting and debugging purposes.
MAC ACLs can be either named or numbered, with valid numbers in the range of 700-799 and 1200-1299.
n Ethertype ACLs are used to filter based on the Ethertype field in the frame header. Optionally, you can
mirror packets to a datapath or remote destination for troubleshooting and debugging purposes. Ethertype
ACLs can be either named or numbered, with valid numbers in the range of 200-299.These ACLs can be
used to permit IP while blocking other non-IP protocols, such as IPX or AppleTalk.
n Service ACLs provide a generic way to restrict how protocols and services from specific hosts and subnets to
the switch are used. Rules with this ACL are applied to all traffic on the switch regardless of the ingress port
or VLAN.
n Routing ACLs forward packets to a device defined by an IPsec map, a next-hop list, a tunnel or a tunnel
group.
n Geolocation ACL assist in identifying the geographical location of the IP address.
n Reputation ACLî˘assists in blocking connectivity to IP addresses classified as malicious.
AOS-W provides both standard and extended ACLs for compatibility with router software from popular
vendors, however firewall policies provide equivalent and greater function than standard and extended ACLs
and should be used instead.
You can apply MAC and Ethertype ACLs to a user role, however these ACLs only apply to non-IP traffic from the
user.
Support for Desktop Virtualization Protocols
AOS-W supports desktop virtualization protocols by providing preconfigured ACLs for Citrix and VMware
clients. You can apply these ACLs to the user-role when using the Virtual Desktop Infrastructure (VDI) clients.
This ensures that any enterprise application that uses the VDI client performs optimally with appropriate QoS.
Disable the voice aware ARM when applying the ACLs for the VDI clients as the virtual desktop sessions may prevent
the ARM scanning.
Creating a Firewall Policy
This section describes how to configure the rules that constitute a firewall policy. A firewall policy can then be
applied to a user role (until the policy is applied to a user role, it does not have any effect). Table 86 describes
required and optional parameters for a rule.
To Next Page
Loading...