Accton Technology ES3526XA, ES3552XA IP ACLs

Access Control List Commands

4-103

4

IP ACLs

access-list ip

This command adds an IP access list and enters configuration mo de for standard or

extended IP ACLs. Use the no form to remove the specified ACL.

Syntax

[no] access-list ip {standard | extended} acl_name

•standard – Specifies an ACL that filters packets based on the source IP

address.

•extended – Specifies an ACL that filters packets based on the source or

destination IP address, and other more specific criteria.

•acl_name – Name of the ACL. (Maximum length: 16 characters)

Default Setting

None

Command Mode

Global Configuration

Table4-34 Access Control Li sts

Command Groups Function Page

IP ACLs Configures ACLs based on IP addresses, TCP/UDP port number,

protocol type, and TCP control code

4-103

MAC ACLs Configures ACLs based on hardware addresses, packet format, and

Ethernet type

4-110

ACL Information Displays ACLs and associated rules; shows ACLs assigned to each port 4-115

Table4-35 IP ACLs

Command Function Mode Page

access-list ip Creates an IP ACL and enters configuration mode GC 4-103

permit, deny Filters packets matching a sp ecified source IP address STD-ACL 4-104

permit, deny Filters packets meeting the s pecified criteria, including

source and destination IP address, TCP/UDP port number,

protocol type, and TCP control code

EXT-ACL 4-105

show ip access-list Displays the rules for configured IP ACLs PE 4-107

ip access-group Adds a port to an IP ACL IC 4-107

show ip access-group Shows port assignments for IP ACLs PE 4-107

map access-list ip Sets the CoS value and corresponding output queue for

packets matching an ACL rule

IC 4-108

show map access-list ip Shows CoS value mapped to an access list for an interface PE 4-109

Contents

Main Page Page Page Contents Page Page Page Page Page Page Page Page Page Page Page Page Page Tables Page Page Page Figures Page Page Page 1-1 Chapter 1: Introduction Key Features 1-2 Description of Software Features Description of Software Features 1-3 1-4 System Defaults 1-5 System Defaults 1-6 Page Page 2-1 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options 2-2 Required Connections 2-3 Remote Connections Basic Configuration Console Connection 2-4 Setting Passwords Setting an IP Address Manual Configuration 2-5 Dynamic Configuration 2-6 Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) 2-7 Trap Receivers 2-8 Configuring Access for SNMP Version 3 Clients Saving Configuration Settings Managing System Files 2-9 Managing System Files Page 3-1 Chapter 3: Configuring the Switch Using the Web Interface 3-2 Navigating the Web Browser Interface Home Page Panel Display 3-3 Configuration Options Panel Display 3-4 Main Menu Main Menu 3-5 3-6 Main Menu 3-7 3-8 Page 3-10 Basic Configuration Displaying System Information 3-11 Displaying Switch Hardware/Software Versions 3-12 3-13 Displaying Bridge Extension Capabilities 3-14 Setting the Switchs IP Address Page 3-16 Using DHCP/BOOTP 3-17 DHCP Relay and Option 82 Information 3-18 3-19 Managing Firmware Page 3-21 3-22 Saving or Restoring Configuration Settings Page 3-24 Console Port Settings 3-25 3-26 Telnet Settings 3-27 3-28 Configuring Event Logging System Log Configuration 3-29 3-30 Remote Log Configuration 3-31 Displaying Log Messages 3-32 Sending Simple Mail Transfer Protocol Alerts Page 3-34 Resetting the System 3-35 Setting the System Clock Configuring SNTP 3-36 Configuring NTP 3-37 Figure 3-22 NTP Client Configuration 3-38 Setting the Time Zone Simple Network Management Protocol Simple Network Management Protocol 3-39 3-40 Enabling the SNMP Agent Setting Community Access Strings Specifying Trap Managers and Trap Types 3-41 Specifying Trap Managers and Trap Types 3-42 3-43 Configuring SNMPv3 Management Access 3-44 Setting a Local Engine ID Specifying a Remote Engine ID 3-45 Configuring SNMPv3 Users 3-46 3-47 Configuring Remote SNMPv3 Users Page 3-49 Configuring SNMPv3 Groups 3-50 Table3-5 Supported Notifi cation Messages 3-51 Table3-5 Supported Notificat ion Messages (Continued) 3-52 3-53 Setting SNMPv3 Views 3-54 User Authentication Configuring User Accounts 3-55 3-56 Configuring Local/Remote Logon Authentication 3-57 3-58 3-59 Configuring HTTPS 3-60 Replacing the Default Secure-site Certificate 3-61 Configuring the Secure Shell 3-62 3-63 Generating the Host Key Pair 3-64 3-65 Configuring the SSH Server 3-66 Configuring Port Security 3-67 3-68 Configuring 802.1X Port Authentication 3-69 Displaying 802.1X Global Settings 3-70 Configuring 802.1X Global Settings Configuring Port Settings for 802.1X 3-71 3-72 3-73 Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. 3-74 MAC Address Authentication 3-75 Configuring the MAC Authentication Reauthentication Time 3-76 Configuring MAC Authentication for Ports 3-77 Displaying Secure MAC Address Information 3-78 3-79 Configuring MAC Address Filters 3-80 Filtering Addresses for Management Access 3-81 3-82 Access Control Lists Configuring Access Control Lists 3-83 Setting the ACL Name and Type 3-84 Configuring a Standard IP ACL 3-85 Configuring an Extended IP ACL 3-86 3-87 Configuring a MAC ACL 3-88 Binding a Port to an Access Control List 3-89 Port Configuration Displaying Connection Status 3-90 3-91 Configuring Interface Connections 3-92 3-93 Creating Trunk Groups 3-94 Statically Configuring a Trunk } active links statically configured 3-95 Enabling LACP on Selected Ports } } 3-96 3-97 Configuring LACP Parameters Page 3-99 You can display statistics for LACP protocol messages. Displaying LACP Port Counters 3-100 CLI The following example displays LACP counters for port channel 1. 3-101 Displaying LACP Settings and Status for the Local Side 3-102 Figure 3-59 LACP - Port Internal Information 3-103 Displaying LACP Settings and Status for the Remote Side 3-104 3-105 Setting Broadcast Storm Thresholds 3-106 Configuring Port Mirroring 3-107 Configuring Rate Limits Rate Limit Granularity 3-108 Rate Limit Configuration 3-109 Showing Port Statistics 3-110 3-111 3-112 Page 3-114 Address Table Settings Setting Static Addresses Address Table Settings 3-115 Displaying the Address Table Page 3-117 Changing the Aging Time Spanning Tree Algorithm Configuration 3-118 x x 3-119 Displaying Global Settings Region R 3-120 3-121 3-122 This command displays global STA settings, followed by settings for each port CLI . Note: Configuring Global Settings 3-124 Page Page 3-127 Displaying Interface Settings x x 3-128 3-129 3-130 Configuring Interface Settings 3-131 3-132 Configuring Multiple Spanning Trees 3-133 3-134 Figure 3-73 MSTP VLAN Configuration CLI This displays STA settings for instance 1, followed by settings for each port. 3-135 CLI This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. 3-136 Displaying Interface Settings for MSTP 3-137 Configuring Interface Settings for MSTP 3-138 3-139 VLAN Configuration IEEE 802.1Q VLANs Assigning Ports to VLANs 3-140 3-141 Forwarding Tagged/Untagged Frames 3-142 Enabling or Disabling GVRP (Global Setting) Displaying Basic VLAN Information 3-143 Displaying Current VLANs 3-144 3-145 Creating VLANs 3-146 Figure 3-79 VLAN Static List - Creating VLANs CLI This example creates a new VLAN. 3-147 Adding Static Members to VLANs (VLAN Index) 3-148 Adding Static Members to VLANs (Port Index) 3-149 3-150 Configuring VLAN Behavior for Interfaces 3-151 3-152 Private VLANs 3-153 Displaying Current Private VLANs 3-154 Configuring Private VLANs Associating VLANs 3-155 Displaying Private VLAN Interface Information 3-156 Configuring Private VLAN Interfaces 3-157 3-158 Class of Service Configuration Layer 2 Queue Settings Setting the Default Priority for Interfaces 3-159 Figure 3-88 Port Priority Configuration CLI This example assigns a default priority of 5 to port 3. 3-160 Mapping CoS Values to Egress Queues 3-161 Figure 3-89 Traffic Classes CLI The following example shows how to change the CoS assignments. 3-162 Selecting the Queue Mode 3-163 Setting the Service Weight for Traffic Classes 3-164 Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values Selecting IP Precedence/DSCP Priority 3-165 Mapping IP Precedence 3-166 Mapping DSCP Priority 3-167 3-168 Mapping IP Port Priority 3-169 Mapping CoS Values to ACLs 3-170 Multicast Filtering 3-171 Layer 2 IGMP (Snooping and Query) Configuring IGMP Snooping and Query Parameters 3-172 3-173 Enabling IGMP Immediate Leave 3-174 Displaying Interfaces Attached to a Multicast Router 3-175 Specifying Static Interfaces for a Multicast Router 3-176 Displaying Port Members of Multicast Services 3-177 Assigning Ports to Multicast Services 3-178 IGMP Filtering and Throttling Enabling IGMP Filtering and Throttling 3-179 Configuring IGMP Filter Profiles 3-180 3-181 Configuring IGMP Filtering and Throttling for Interfaces 3-182 3-183 Multicast VLAN Registration 3-184 Configuring Global MVR Settings 3-185 Displaying MVR Interface Status 3-186 Displaying Port Members of Multicast Groups 3-187 Configuring MVR Interface Status 3-188 Assigning Static Multicast Groups to Interfaces 3-189 Configuring Domain Name Service Configuring General DNS Service Parameters 3-190 3-191 3-192 Configuring Static DNS Host to Address Entries 3-193 Displaying the DNS Cache 3-194 Switch Clustering Cluster Configuration Switch Clustering 3-195 Cluster Member Configuration 3-196 Cluster Member Information Switch Clustering 3-197 Cluster Candidate Information Page 4-1 Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection 4-2 4-3 Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands The command show interfaces ? will display the following information: 4-5 Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes 4-6 Exec Commands 4-7 Configuration Commands 4-8 Command Line Processing Command Groups 4-9 Command Groups The system commands can be broken down into the functional groups show n below Page 4-11 Line Commands line 4-12 login 4-13 password 4-14 timeout login response exec-timeout 4-15 password-thresh 4-16 silent-time databits 4-17 parity 4-18 speed stopbits 4-19 disconnect show line 4-20 General Commands enable General Commands 4-21 disable 4-22 configure show history General Commands 4-23 reload end 4-24 exit quit 4-25 System Management Commands Device Designation Commands prompt 4-26 hostname User Access Commands 4-27 username 4-28 enable password 4-29 IP Filter Commands management 4-30 show management 4-31 Web Server Commands ip http port ip http server 4-32 ip http secure-server 4-33 ip http secure-port 4-34 Telnet Server Commands ip telnet port ip telnet server 4-35 Secure Shell Commands 4-36 4-37 ip ssh server 4-38 ip ssh timeout ip ssh authentication-retries 4-39 ip ssh server-key size delete public-key 4-40 ip ssh crypto host-key generate ip ssh crypto zeroize 4-41 ip ssh save host-key show ip ssh 4-42 Example show ssh This command displays the current SSH server connections. Command Mode 4-43 show public-key 4-44 Event Logging Commands logging on 4-45 logging history 4-46 logging host logging facility 4-47 logging trap clear logging 4-48 show logging 4-49 show log 4-50 SMTP Alert Commands logging sendmail host 4-51 logging sendmail level 4-52 logging sendmail source-email logging sendmail destination-email 4-53 logging sendmail show logging sendmail 4-54 Time Commands sntp client 4-55 sntp server 4-56 sntp poll show sntp 4-57 ntp client ntp server 4-58 ntp poll 4-59 ntp authenticate ntp authentication-key 4-60 show ntp 4-61 clock timezone 4-62 calendar set show calendar 4-63 System Status Commands show startup-config 4-64 Example Related Commands show running-config (4-65) 4-65 show running-config 4-66 Example Related Commands show startup-config (4-63) 4-67 show system show users 4-68 show version 4-69 Frame Size Commands jumbo frame 4-70 Flash/File Commands copy 4-71 4-72 The following example shows how to copy the running configuration to a startup file. The following example shows how to download a configuration file: 4-73 delete dir 4-74 whichboot 4-75 boot system 4-76 Authentication Commands Authentication Sequence authentication login 4-77 authentication enable 4-78 RADIUS Client radius-server host 4-79 radius-server port radius-server key 4-80 radius-server retransmit radius-server timeout 4-81 show radius-server TACACS+ Client 4-82 tacacs-server host tacacs-server port tacacs-server key 4-83 show tacacs-server 4-84 Port Security Commands port security 4-85 802.1X Port Authentication 4-86 dot1x system-auth-control dot1x default 4-87 dot1x max-req dot1x port-control 4-88 dot1x operation-mode dot1x re-authenticate 4-89 dot1x re-authentication dot1x timeout quiet-period 4-90 dot1x timeout re-authperiod dot1x timeout tx-period show dot1x 4-91 4-92 4-93 4-94 Network Access network-access mode 4-95 network-access max-mac-count 4-96 network-access mac-filter 4-97 network-access port-mac-filter network-access dynamic-vlan 4-98 mac-authentication reauth-time 4-99 clear network-access show network-access 4-100 show network-access mac-filter show network-access mac-address-table 4-101 4-102 Access Control List Commands 4-103 IP ACLs access-list ip 4-104 permit, deny (Standard ACL) 4-105 permit, deny (Extended ACL) 4-106 4-107 show ip access-list ip access-group 4-108 show ip access-group map access-list ip 4-109 show map access-list ip 4-110 MAC ACLs access-list mac 4-111 permit, deny (MAC ACL) 4-112 show mac access-list mac access-group 4-113 show mac access-group map access-list mac 4-114 show map access-list mac 4-115 ACL Information show access-list show access-group 4-116 SNMP Commands 4-117 snmp-server show snmp 4-118 snmp-server community 4-119 snmp-server contact snmp-server location 4-120 snmp-server host 4-121 4-122 snmp-server enable traps 4-123 snmp-server engine-id 4-124 show snmp engine-id 4-125 snmp-server view 4-126 show snmp view snmp-server group 4-127 show snmp group 4-128 snmp-server user 4-129 4-130 show snmp user This command shows information on SNMP users. Command Mode Example Table4-44 show snmp user - display description 4-131 Interface Commands interface 4-132 description speed-duplex 4-133 negotiation 4-134 capabilities 4-135 flowcontrol 4-136 shutdown 4-137 switchport broadcast packet-rate clear counters 4-138 show interfaces status 4-139 show interfaces counters 4-140 show interfaces switchport 4-141 Example This example shows the configuration setting for port 24. 4-142 Mirror Port Commands port monitor Mirror Port Commands 4-143 show port monitor 4-144 Rate Limit Commands rate-limit Rate Limit Commands 4-145 rate-limit granularity show rate-limit 4-146 Link Aggregation Commands 4-147 channel-group 4-148 lacp 4-149 lacp system-priority 4-150 lacp admin-key (Ethernet Interface) 4-151 lacp admin-key (Port Channel) 4-152 lacp port-priority show lacp 4-153 Default Setting Port Channel: all Command Mode Example 4-154 4-155 4-156 Address Table Commands Address Table Commands 4-157 mac-address-table static 4-158 clear mac-address-table dynamic show mac-address-table Address Table Commands 4-159 mac-address-table aging-time show mac-address-table aging-time 4-160 Spanning Tree Commands 4-161 spanning-tree spanning-tree mode 4-162 spanning-tree forward-time 4-163 spanning-tree hello-time 4-164 spanning-tree max-age spanning-tree priority 4-165 spanning-tree pathcost method 4-166 spanning-tree transmission-limit spanning-tree mst-configuration 4-167 mst vlan 4-168 mst priority name 4-169 revision max-hops 4-170 spanning-tree spanning-disabled spanning-tree cost 4-171 spanning-tree port-priority 4-172 spanning-tree edge-port 4-173 spanning-tree portfast spanning-tree link-type 4-174 spanning-tree mst cost 4-175 spanning-tree mst port-priority 4-176 spanning-tree protocol-migration show spanning-tree 4-177 4-178 show spanning-tree mst configuration This command shows the configuration of the multiple spanning tree. Command Mode 4-179 VLAN Commands Editing VLAN Groups vlan database 4-180 vlan 4-181 Configuring VLAN Interfaces interface vlan 4-182 switchport mode switchport acceptable-frame-types 4-183 switchport ingress-filtering 4-184 switchport native vlan 4-185 switchport allowed vlan 4-186 switchport forbidden vlan Displaying VLAN Information 4-187 show vlan 4-188 Configuring Private VLANs 4-189 private-vlan 4-190 private vlan association 4-191 switchport mode private-vlan switchport private-vlan host-association 4-192 switchport private-vlan isolated 4-193 switchport private-vlan mapping show vlan private-vlan 4-194 GVRP and Bridge Extension Commands bridge-ext gvrp GVRP and Bridge Extension Commands 4-195 show bridge-ext switchport gvrp 4-196 show gvrp configuration garp timer GVRP and Bridge Extension Commands 4-197 show garp timer 4-198 Priority Commands Priority Commands (Layer 2) 4-199 queue mode switchport priority default 4-200 queue bandwidth 4-201 queue cos-map 4-202 show queue mode show queue bandwidth 4-203 show queue cos-map 4-204 Priority Commands (Layer 3 and 4) map ip port (Global Configuration) 4-205 map ip port (Interface Configuration) map ip precedence (Global Configuration) 4-206 map ip precedence (Interface Configuration) 4-207 map ip dscp (Global Configuration) map ip dscp (Interface Configuration) 4-208 show map ip port 4-209 show map ip precedence 4-210 show map ip dscp 4-211 Multicast Filtering Commands IGMP Snooping Commands 4-212 ip igmp snooping ip igmp snooping vlan static 4-213 ip igmp snooping version ip igmp snooping immediate-leave 4-214 show ip igmp snooping show mac-address-table multicast 4-215 4-216 IGMP Query Commands (Layer 2) ip igmp snooping querier ip igmp snooping query-count 4-217 ip igmp snooping query-interval 4-218 ip igmp snooping query-max-response-time ip igmp snooping router-port-expire-time 4-219 Static Multicast Routing Commands ip igmp snooping vlan mrouter 4-220 show ip igmp snooping mrouter 4-221 IGMP Filtering and Throttling Commands ip igmp filter (Global Configuration) 4-222 ip igmp profile permit, deny 4-223 range ip igmp filter (Interface Configuration) 4-224 ip igmp max-groups 4-225 ip igmp max-groups action show ip igmp filter 4-226 show ip igmp profile show ip igmp throttle interface 4-227 Multicast VLAN Registration Commands 4-228 mvr (Global Configuration) 4-229 mvr (Interface Configuration) 4-230 show mvr 4-231 4-232 Domain Name Service Commands 4-233 ip host clear host 4-234 ip domain-name 4-235 ip domain-list 4-236 ip name-server ip domain-lookup 4-237 show hosts 4-238 show dns Example This command displays the configuration of the DNS service. Command Mode show dns cache This command displays entries in the DNS cache. Command Mode clear dns cache 4-240 DHCP Commands ip dhcp relay information option DHCP Commands 4-241 ip dhcp relay information policy ip dhcp relay server 4-242 show ip dhcp-relay 4-243 IP Interface Commands ip address 4-244 ip default-gateway 4-245 ip dhcp restart show ip interface 4-246 show ip redirects ping 4-247 4-248 Switch Cluster Commands cluster Switch Cluster Commands 4-249 cluster commander cluster ip-pool 4-250 cluster member rcommand Switch Cluster Commands 4-251 show cluster show cluster members 4-252 show cluster candidates A-1 Appendix A: Software Specifications Software Features Software Specifications A-2 A Management Features Standards Management Information Bases A-3 A Management Information Bases Page B-1 Appendix B: Troubleshooting Problems Accessing the Management Interface TableB-1 Troubleshooting Chart Troubleshooting B-2 B Using System Logs Glossary Page Page Page Page Page Index Index-1 Numerics A B Index-2 G H I J Index-3 Q R S Index-4 T U V W