You can configure ACLs to control network accesses and ensure the security of applications on VMs.
An ACL has the following main contents:
Default actions—Includes default inbound action and default outbound action. If a packet does not match any rules of the ACL, the default action applies.
ACL rules—Includes IP rules and Layer 2 rules. You can configure multiple ACL rules for an ACL to match packets.
IP—A rule matches packets based on the Layer 3 and Layer 4 information such as source IP address, destination IP address, and IP protocol.
Layer 2—A rule matches packets based on the link layer information such as source MAC address and destination MAC address.
To apply an ACL to a VM, configure a port profile for the VM, and bind the ACL to the port profile. For more information about port profiles, see "Manage port profiles." For more information about VM network settings, see "Add a VM" or "Edit a VM."
ACLs used by port profiles cannot be deleted.
If none of IP address and mask or none of MAC address and mask is specified in an ACL, the ACL applies to all IP addresses or MAC addresses.
On the top navigation bar, click System, and then select Security Management > ACLs from the navigation pane.
Click Add.
Configure the ACL parameters as described in "Parameters."
Click Add Rule.
Configure the rule parameters as described in "Parameters."
To edit the priorities of the ACL rules, click Edit Priority, editing the priorities of the ACL rules by dragging the rules to arrange their orders, and then click OK.
Click OK.
On the top navigation bar, click System, and then select Security Management > ACLs from the navigation pane.
Select an ACL, and then click Edit.
Edit the ACL parameters as described in "Parameters."
Click OK.
On the top navigation bar, click System, and then select Security Management > ACLs from the navigation pane.
Select one or more ACLs, and then click Delete.
In the dialog box that opens, click OK.
Default Inbound Action: Select the action to take on inbound packets that do not match any rules. Options include Permit and Deny.
Default Outbound Action: Select the action to take on outbound packets that do not match any rules. Options include Permit and Deny.
ACL Type: Select an ACL type. Options include IP and Layer 2.
IP—The rule matches packets based on the Layer 3 and Layer 4 information such as source IP address, destination IP address, and IP protocol.
Layer 2—The rule matches packets based on the link layer information such as source MAC address and destination MAC address.
Time Range: Select whether to set the ACL as a time-based ACL. If you select Yes, specify the effective time for the ACL. If you select No, the ACL is always effective.
Effective Time: Specify the effective time for the ACL. This parameter is required if you select Yes for the Time Range parameter.
Direction: Select the direction of packets that the rule matches. Options include Inbound, Outbound, and Inbound and outbound.
Action: Select the action to take on packets that match the ACL rule. Options include Deny and Permit.
If you select IP for the ACL Type parameter, configure the following parameters:
Protocol: Select the protocol of packets that the rule matches. Options include ALL, ICMP, TCP, and UDP.
IP Type: Select the IP protocol type of packets that the rule matches. Options include IPv4 and IPv6. The IPv6 option is available only in free-trial and UIS enhanced editions.
Source IP: Enter the source IP address that the rule matches.
Source Mask: Enter the source subnet mask or source network prefix that the rule matches.
Source Start Port/Source End port: Specify the source port range that the rule matches.
Destination IP: Enter the destination IP address that the rule matches.
Destination Mask: Enter the destination subnet mask or destination network prefix that the rule matches.
Destination Start Port/Destination End Port: Specify the destination port range that the rule matches.
If you select Layer 2 for the ACL Type parameter, configure the following parameters:
Protocol: Select the protocol of packets that the rule matches. Options include ALL, ARP, RARP, IPv4, and IPv6. The IPv6 option is available only in free-trial and UIS enhanced editions.
Source MAC: Enter the source MAC address that the rule matches.
Source MAC Mask: Enter the source MAC mask that the rule matches. A MAC mask is in the same format as a MAC address. You can specify a MAC mask to configure the rule to match a class of MAC addresses.
Destination MAC: Enter the destination MAC address that the rule matches.