ACLs
This feature provides the option for the user to have more restricted access to traffic going to specific SPP Rule. It allows the user to reject/accept traffic from IPv4/IPv6 Address/Address Group sending traffic which match certain Service/Service group traffic. This can offload a lot of burden from DDoS Mitigation by eliminating unwanted traffic.
Note 1: Any traffic that matches SPP Rule with action Accept will be tracked and allowed and no DDoS Mitigation mechanisms will be applied.
Note 2: If you deactivate (disable "Status" in the Global > Access Control menu) or delete a Global ACL, you will no longer be able to see drops from that ACL in the Monitor > DROPS MONITOR > Global graphs. Logs are retained.
|
Settings |
Guidelines |
|---|---|
|
Name |
Name of ACL |
|
Status |
Control to enable or disable ACL |
|
Action |
Reject or Accept traffic |
|
IP Version |
IPv4 or IPv6 |
|
Source Address IPv4 Type |
Address IPv4 or Address IPv4 Group |
|
Source Address IPv4 |
|
|
Source Address IPv6 Type |
Address IPv6 or Address IPv6 Group |
|
Source Address IPv6 |
|
|
Service Type |
Service or Service Group |
|
Service |
|
|
To configure using the CLI: config ddos spp rule edit <spp_name> config acl edit <acl_name> set status { enable | disable } set action { reject | accept } set ip-version { IPv4 | IPv6 } set source-address4-type { addr4 | addr-grp4 } set source-address-v4 <IPv4 Address> set source-address-v4-group <IPv4 Address Group> set source-address6-type { addr6 | addr-grp6 } set source-address-v6 <IPv6 Address> set source-address-v6-group <IPv6 Address Group> set service-type { service | service-grp} set service-id <Service> set service-grp-id <Service Group> next end next end |