Skip to content
Any configuration changes made locally on the switch won't be synchronized with Sophos Central. We recommend making changes from the Sophos Central control panel instead.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/switch/help/en-us/index.html?contextId=user-guide-features-configure-access-control-IPv4-ACE

IPv4 ACE

Each IPv4 access control list (ACL) contains up to 16 individual rules called access control entries (ACEs). Each ACE is a set of parameters for specific network traffic and the switch's action when it identifies matching traffic.

To create a new ACE, go to Configure > Access control > IPv4 ACE and click Add.

To delete an ACE, click Delete for the ACE you want to delete.

To update an ACE's settings, click Edit.

You can configure the following settings:

  • ACL name: Select an ACL from the drop-down list to which you want to apply the ACE.
  • Sequence: The sequence number determines the order in which the switch processes ACEs across all ACLs on an interface. Enter a value from 1 to 2147483647, with '1' being processed first.

  • Action: Select one of the following actions to take on traffic that matches the ACE:

    • Permit: Forwards packets that match the ACL.
    • Deny: Drops packets that match the ACL.

  • Type of service: Allows you to set the Differentiated Services Field Codepoints (DSCP) value. Enter a value from 0 to 63. See Differentiated Services Field Codepoints (DSCP).

  • Destination IP address: The destination IP address for the traffic.
  • Destination netmask: The subnet mask for the Destination IP address.
  • Source IP address: The source IP address for the traffic.
  • Source netmask: The subnet mask of the Source IP address.
  • Destination port range: Select a destination port range for the traffic. See Port range.
  • Source port range: Select a source port range for the traffic. See Port range.

  • Protocol: Select one of the following options from the drop-down list:

    • Any: Matches all protocols.

    • Select from a List: Select one of the following protocols from the Protocol list:

      • IPv4:ICMP: The Internet Control Message Protocol (ICMP) allows the gateway or destination host to communicate with the source host.
      • IPinIP: IP in IP encapsulates IP packets to create tunnels between two routers. An IP in IP tunnel appears as a single interface rather than several separate interfaces.
      • TCP: Transmission Control Protocol (TCP) allows two hosts to communicate and exchange data streams. It guarantees packet delivery and ensures that packets are transmitted and received in the order they were sent.
      • EGP: Exterior Gateway Protocol (EGP) allows two neighboring gateway hosts to exchange routing information in an autonomous systems network.
      • IGP: Interior Gateway Protocol (IGP) allows the exchanging of routing information between gateways within an autonomous network.
      • UDP: User Datagram Protocol (UDP) is a communication protocol that transmits packets but does not guarantee delivery.
      • HMP: The Host Mapping Protocol (HMP) collects network information from various hosts. It monitors hosts spread over the internet and hosts in a single network.
      • RDP: Reliable Data Protocol (RDP) is similar to TCP where it guarantees packet delivery but doesn't require sequenced delivery.
      • IPv6: Matches the packet to the IPV6 protocol.
      • IPv6:Rout: Routing header for IPv6.
      • IPv6:Frag: Fragment header for IPv6.
      • RVSP: Matches the packet to the reservation protocol (RSVP).
      • IPv6:ICMP: The Internet Control Message Protocol (ICMP) allows the gateway or destination host to communicate with the source host.
      • OSPF: The Open Shortest Path First (OSPF) protocol is a link-state hierarchical interior gateway protocol (IGP) for network routing.
      • PIM: Matches the packet to Protocol Independent Multicast (PIM).
      • L2TP: Layer 2 Tunneling Protocol (L2TP) supports the creation of VPNs by ISPs.

    • Select from ID: Enter a value from 0 to 255 for Protocol ID. See Protocol Numbers.

  • ICMP: Select one of the following from the drop-down list:

    • Any: Matches all ICMP traffic.

    • Select from List: Select one of the following options from the ICMP list:

      • Echo Reply: The response a device sends after receiving an ICMP echo request.
      • Destination Unreachable: The ICMP packet couldn't reach its destination.
      • Source Quench: ICMP message sent by a router to ease network congestion in busy environments.
      • Echo Request: A message sent from one device to another to check if they can communicate and measure the time it takes.
      • Router Advertisement: A message a device sends to announce its availability as a router.
      • Router Solicitation: A message sent by a host to request router information.
      • Time Exceeded: This message indicates the ICMP packet's time to live (TTL) expired in transit.
      • Timestamp: Timestamps can be added to ICMP messages to record when they are sent.
      • Timestamp Reply: When a device receives an ICMP packet with a timestamp, it can record the timestamp and add its timestamp reply field to the ICMP packet.
      • Traceroute: Shows all routers a packet passes through on its way to its destination.

    • Select from ID: Enter a value from 0 to 255 for ICMP ID.

  • ICMP code: Enter a value from 0 to 255. See Internet Control Message Protocol (ICMP) Parameters.

  • TCP Flags: You can filter TCP traffic by whether the Urg, Ack, Psh, Rst, Syn, and Fin flags are Set or Unset. Select Don't care to ignore TCP flags.

Click Apply to save your ACE.