Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/switch/help/en-us/index.html?contextId=user-guide-features-configure-access-control-ACL

Access control

Access control lets you define rules to filter incoming and outgoing packets based on IPv4, IPv6, and MAC addresses. Each access control list (ACL) contains up to 16 access control entries (ACEs). You can bind ACLs to your switch's ports to control traffic in your network.

Access control list

ACLs provide basic security for network access by controlling whether packets are forwarded or blocked at the switch ports. They also provide traffic flow control, restrict contents of routing updates, and determine which types of traffic are forwarded or blocked. They can improve performance by blocking unnecessary network traffic or implementing security controls by restricting access to specific network resources or protocols.

You can create a maximum of 16 ACLs each for MAC, IPv4, and IPv6.

Access control entries

ACLs are composed of Access Control Entries (ACEs). These are rules that determine traffic classifications. Each ACE defines the conditions that traffic must match. The filtering criteria vary depending on the frames being analyzed. You can create a maximum of 16 ACEs for each ACL.

The switch filters data packets according to specific content in the packet header, such as the source address, destination address, source port number, destination port number, port ranges, and more. It filters IP frames based on the protocol, TCP/UDP port number, or frame type. It also filters layer two frames based on any destination MAC address for unicast, broadcast, and multicast transmissions or based on VLAN ID or VLAN tag priority.

VLANs

You can block a total of 256 MAC addresses on a single VLAN. If a switch has more than one VLAN configured, the maximum number of MAC addresses it can block is reduced by dividing 256 by the number of VLANs. For example, if a switch has four VLANs configured, the switch can block a maximum of 64 MAC addresses across all VLANS.