An access control list (ACL) is a set of rules for identifying traffic based on criteria such as source IP address, destination IP address, and port number. The rules are also called permit or deny statements.
You can configure ACLs to limit network access to VMs and improve security of the services running on the VMs.
Only security administrators can configure this feature.
ACLs that are used by port profiles cannot be deleted.
To add a global ACL rule, leave the MAC address, MAC address mask, IPv4 address, subnet mask, IPv6 address, and network prefix empty.
On the top navigation bar, click Services.
From the left navigation pane, select Security > ACLs.
Click Add.
Enter a name and a description for the ACL, select the default inbound action, default outbound action, ACL type, and owner. For more information about the parameters, see "Parameters."
Configure whether to configure the ACL as a time-based ACL. If yes, specify the time when the ACL takes effect.
Click Add to add a rule for the ACL and configure the parameters as described in "Parameters."
To change the priorities of the ACL rules, click Edit Rule Priorities, drag the rules to arrange their orders, and then click OK.
Click OK.
On the top navigation bar, click Services.
From the left navigation pane, select Security > ACLs.
Select the target ACL and click Edit.
Configure the rules for the ACL and configure the priorities for the rules as described in "Parameters."
Click OK.
On the top navigation bar, click Services.
From the left navigation pane, select Security > ACLs.
Select the target ACLs and click Convert to Public Policy.
In the dialog box that opens, click OK.
On the top navigation bar, click Services.
From the left navigation pane, select Security > ACLs.
Select the target ACLs and click Copy.
In the dialog box that opens, configure the parameters and then click OK.
On the top navigation bar, click Services.
From the left navigation pane, select Security > ACLs.
Select the target ACLs and click Delete.
In the dialog box that opens, click OK.
On the top navigation bar, click Services.
From the left navigation pane, select Security > ACLs.
Select Private, Public, or All from the Used By field to filter ACLs by owner.
On the top navigation bar, click Services.
From the left navigation pane, select Security > ACLs.
Select the target ACL and click View.
Default Inbound Action: Select the action to take on inbound packets that do not match any rules. Options include Allow and Reject.
Default Outbound Action: Select the action to take on outbound packets that do not match any rules. Options include Allow and Reject.
ACL Type: Select an ACL type. Options include IP and Layer 2.
IP—The rule matches packets based on the Layer 3 and Layer 4 information such as source IP address, destination IP address, and IP protocol.
Layer 2—The rule matches packets based on the link layer information such as source MAC address and destination MAC address.
Used By: Select the ACL owner. Options include Public and Private. A public ACL can be viewed and used by all users, and a private ACL can be viewed and used only by users in the same user group as the ACL creator.
Time Based Control: Configure whether to set the ACL as a time-based ACL. If yes, specify the effective time for the ACL. The rules of a non time-based ACL are always effective.
Direction: Select the direction of packets that the rule matches. Options include Inbound, Outbound, and Inbound, outbound.
Action: Select the action to take on packets that match the ACL rule. Options include Allow and Reject.
If you select IP for the ACL Type parameter, configure the following parameters:
Protocol: Select the protocol of packets that the rule matches. Options include ALL, ICMP, TCP, and UDP.
IP Type: Select an IP protocol version. Options include IPv4 and IPv6.
Source IP: Enter the source IP address that the rule matches.
Source Subnet Mask: Enter the source subnet mask that the rule matches.
Source Network Prefix: Enter the prefix length of the source IP address.
Source Port: Specify the source port that the rule matches.
Destination IP: Enter the destination IP address that the rule matches.
Destination Subnet Mask: Enter the destination subnet mask that the rule matches.
Destination Network Prefix: Enter the prefix length of the destination IP address.
Destination Port: Specify the destination port that the rule matches.
If you select Layer 2 for the ACL Type parameter, configure the following parameters:
Protocol: Select the protocol of packets that the rule matches. Options include ALL, ARP, RARP, IPv4, and IPv6.
Source MAC: Enter the source MAC address that the rule matches.
Source MAC Mask: Enter the source MAC mask that the rule matches. A MAC mask is in the same format as a MAC address. You can specify a MAC mask to configure the rule to match a class of MAC addresses.
Destination MAC: Enter the destination MAC address that the rule matches.