Accton Technology ES5508 299

Access Control List Commands 4

The order in which active ACLs are checked is as follows:

1.User-defined rules in the Egress MAC ACL for egress ports.

2.User-defined rules in the Egress IP ACL for egress ports.

3.User-defined rules in the Ingress MAC ACL for ingress ports.

4.User-defined rules in the Ingress IP ACL for ingress ports.

5.Explicit default rule (permit any any) in the ingress IP ACL for ingress ports.

6.Explicit default rule (permit any any) in the ingress MAC ACL for ingress ports.

7.If no explicit rule is matched, the implicit default is permit all.

Masks for Access Control Lists

You must specify masks that control the order in which ACL rules are checked. The switch includes two system default masks that pass/filter packets matching the permit/deny the rules specified in an ingress ACL. You can also configure up to seven user-defined masks for an ACL. A mask must be bound exclusively to one of the basic ACL types (i.e., Ingress IP ACL, Egress IP ACL, Ingress MAC ACL or Egress MAC ACL), but a mask can be bound to up to four ACLs of the same type.

Table 4-33 Access Control List Commands

Command Groups	Function	Page

IP ACLs	Configures ACLs based on IP addresses, TCP/UDP port number,	4-87
	protocol type, and TCP control code
MAC ACLs	Configures ACLs based on hardware addresses, packet format, and	4-100
	Ethernet type
ACL Information	Displays ACLs and associated rules; shows ACLs assigned to each port	4-110

IP ACLs

Table 4-34 IP ACL Commands

Command	Function	Mode	Page

access-list ip	Creates an IP ACL and enters configuration mode for	GC	4-88
	standard or extended IP ACLs
access-list ip extended	Automatically creates extra masks to support fragmented	GC	4-88
fragment-auto-mask	ACL entries
permit, deny	Filters packets matching a specified source IP address	STD-ACL	4-89

permit, deny	Filters packets meeting the specified criteria, including	EXT-ACL	4-90
	source and destination IP address, TCP/UDP port number,
	protocol type, and TCP control code
show ip access-list	Displays the rules for configured IP ACLs	PE	4-92

access-list ip	Changes to the IP Mask mode used to configure access	GC	4-92
mask-precedence	control masks
mask	Sets a precedence mask for the ACL rules	IP-Mask	4-93

show access-list ip	Shows the ingress or egress rule masks for IP ACLs	PE	4-96
mask-precedence
ip access-group	Adds a port to an IP ACL	IC	4-97

4-87

Contents

Page Page Page Page Contents Page Page Page Page Page Page Page Page Page Page Page Tables Page Page Page Figures Page Page Page Chapter 1: Introduction 1 Introduction Description of Software Features Page System Defaults System Defaults Table 1-2System Defaults (Continued) Address Table Aging Time Virtual LANs Default VLAN Chapter 2: Initial Configuration 2 Initial Configuration Page Page Page Then save your configuration changes by typing “copy The default strings are: public - with private - with To configure a community string, complete the following steps: From the Privileged Exec level global configuration mode prompt, type To save the current configuration settings, enter the following command: From the Privileged Exec mode prompt, type “copy 2.Enter the name of the start-upfile. Press <Enter Managing System Files Page Chapter 3: Configuring the Switch 3 Configuring the Switch Navigating the Web Browser Interface Table 3-1Web Page Configuration Buttons Button Action Apply Sets specified values to the system Page Page Page Page ACL CoS Priority matching an ACL rule IGMP Configuration query Multicast Router Page CLI – Specify the hostname, location and contact information Main Board •Serial Number – The serial number of the switch •Number of Ports – Number of built-inports •Hardware Version – Hardware version of the main board •Unit ID – Unit number in stack •Redundant Power Status – Displays the status of the redundant power supply Web – Click System, Switch Information Figure 3-4Switch Information CLI – Use the following command to display version information Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Figure 3-18Remote Logs Page Page Figure 3-21Resetting the System CLI – Use the reload command to restart the switch Note: When restarting the system, it will always run the Power-On Self-Test Page Page Simple Network Management Protocol Table 3-4SNMPv3 Security Models and Levels Group public private v2c Page Page •Trap UDP Port – Specifies the UDP port number used by the trap manager Enable Authentication Traps (Default: Enabled) Enable Page Page Page Page Page Page Page Table 3-5Supported Notification Messages Object Label Object ID RFC 1493 Traps newRoot Table 3-5Supported Notification Messages (Continued) Private Traps swPowerStatus ChangeTrap swFanFailureTrap Figure 3-31Configuring SNMPv3 Groups Page User Authentication Page Page Page Figure 3-34Authentication Server Settings CLI – Specify all the required parameters to enable logon authentication Page Page Page Set the Optional Parameters Enable SSH Service Challenge-Response Authentication a.The client sends its public key to the switch Page The SSH server includes basic settings for authentication •SSH Server-KeySize – Specifies the SSH server key size. (Range: 512-896bits; Default: 768) -The server key is a private key that is never shared outside the switch -The host key is shared with the SSH client, and is fixed at 1024 bits Figure 3-37SSH Server Settings Page Page Page Page Page Page Page This switch can display statistics for dot1x protocol exchanges for any port Table 3-7802.1X Statistics Rx EAPOL Start Rx EAPOL Logoff Rx EAPOL Invalid Figure 3-42802.1X Port Statistics CLI – This example displays the dot1x statistics for port Page Figure 3-43IP Filter CLI – This example restricts management access for Telnet clients Access Control Lists Page Page Page Figure 3-46ACL Configuration - Extended IP CLI – This example adds three rules: Page Page Page Page Page Page Page Figure 3-51ACL Port Binding Port Configuration Field Attributes (Web) •Port – Port number •Name – Interface label •Type – Indicates the port type. (10G) Page Page Page Figure 3-53Port - Port Configuration CLI – Select the interface, and then enter the required settings Page statically configured active links Page •Member List (Current) – Shows configured trunks (Unit, Port) Figure 3-55LACP Trunk Configuration Page Page Page Page Table 3-9LACP Internal Configuration Information Field Oper Key Current operational value of the key for the aggregation port Admin Key Figure 3-58LACP - Port Internal Information Page Page Figure 3-60Port Broadcast Control Page Page Table 3-11Port Statistics Interface Statistics Received Octets characters Received Unicast Packets Table 3-11Port Statistics (Continued) buffer space Transmit Errors errors Etherlike Statistics Received Frames Broadcast Frames Multicast Frames multicast address CRC/Alignment Errors Page Address Table Settings CLI – This example shows statistics for port Address Table Settings •Static Address Counts13 – The number of manually configured addresses •Current Static Address Table – Lists all the static addresses Interface – Port or trunk associated with the device assigned a static address •MAC Address – Physical address of a device mapped to this interface Page Page Spanning Tree Algorithm Configuration Page Page Page Global settings apply to the entire switch •Spanning Tree Protocol14 •Rapid Spanning Tree Protocol14 Page •Minimum: The higher of 4 or [(Max. Message Age / 2) + 1] •Maximum: Configuration Settings for RSTP The following attributes apply to both RSTP and MSTP: Long: Specifies Page Page Oper Link Type – The operational port.R R: Root Port A:Alternate Port D:Designated Port Page Page Page Page To use multiple spanning trees: 1.Set the spanning tree type to MSTP (STA Configuration, page 3-116) 3.Add the VLANs that will share this MSTI (MSTP VLAN Configuration) Note: All VLANs are automatically added to the IST (Instance 0) •MST Instance – Instance identifier of this spanning tree. (Default: 0) Figure 3-71MSTP VLAN Configuration Page MST Instance ID – Instance identifier to configure. (Range: 0-4094;Default: 0) Figure 3-72MSTP Port Information Page Page VLAN Configuration Assigning Ports to VLANs Page Forwarding Tagged/Untagged Frames Page Page Page Figure 3-77VLAN Static List - Creating VLANs CLI – This example creates a new VLAN •Status – Enables or disables the specified VLAN Page CLI – The following example adds tagged and untagged ports to VLAN •Interface – Port (1-8)or trunk identifier •Member – VLANs for which the selected interface is a tagged member •Non-Member– VLANs for which the selected interface is not a tagged member Figure 3-79VLAN Static Membership by Port -Ingress filtering only affects tagged frames GARP Join Timer GARP Leave Timer Page Page Page To configure protocol-basedVLANs, follow these steps: First configure VLAN groups for the protocols you want to use Create a protocol group for one or more protocols Protocol Group ID – Group identifier of this protocol group. (Range: Frame Type Page Class of Service Configuration Figure 3-85Default Port Priority CLI – This example assigns a default priority of 5 to port Page Figure 3-86Traffic Classes Page Figure 3-88Queue Scheduling Page Page Table 3-15Mapping DSCP Priority IP DSCP Value CoS Value 10, 12, 14 18, 20, 22 Figure 3-91IP DSCP Priority Page Table 3-16Egress Queue Priority Mapping You must configure an ACL mask before you can map CoS values to the rule •Name23 – Name of ACL •Type – Type of ACL (IP or MAC) CoS Priority – CoS value used for packets matching an IP ACL rule. (Range: Multicast Filtering Page Page Figure 3-95IGMP Configuration Page Page Page Page Configuring Domain Name Service •Note that if all name servers are deleted, DNS will automatically be disabled •Domain Lookup Status – Enables DNS host name-to-addresstranslation Default Domain Name Domain Name List Figure 3-100DNS General Configuration Page Page Page Page Chapter 4: Command Line Interface 4 Command Line Interface Entering Commands enable Console#show startup-config Console(config)#username admin password 0 smith The command “show interfaces ?” will display the following information: Table 4-1General Command Modes Class Exec Normal Privileged Page Page Command Groups Line Commands Page Page Page Page Page Page Page Page show ssh (4-39)show users (4-61) This command displays the terminal line’s parameters show line [console | vty] Shows all lines Normal Exec, Privileged Exec General Commands Page Page Page System Management Commands Page Page Page Page This example restricts management access to the indicated addresses show management {all-client| http-client| snmp-client| telnet-client} Page Page Page Page Page Page Page Page Page Page Page Table 4-16show ssh - display description Session The session number. (Range: 0-3) Version The Secure Shell version number Table 4-17Event Logging Commands logging on logging history severity logging host Page Page Page Page Page Page Page Page [no] logging sendmail destination-email email-address [no] logging sendmail Page Page Page Page Page Page show running-config (4-58) Page show startup-config (4-56) This command displays system information For a description of the items shown by this command, refer to Page Page Flash/File Commands •The system prompts for data required to complete the copy command The maximum number of To replace the startup configuration, you must use For information on specifying an The following example shows how to download a configuration file: This command deletes a file or image delete filename filename - Name of configuration file or code image Page Page Authentication Commands Page Page Page radius-serverport port_number no radius-serverport radius-serverkey key_string no radius-serverkey Page Page Page Page Page Page Page Page The This command forces re-authenticationon all ports or a specific interface dot1x re-authenticate[interface] •ethernet unit/port -unit - This is unit Page Page Page Page Access Control List Commands Page Page Page Page Extended ACL •All new rules are appended to the end of the list -SYN flag valid, use “control-code2 2” -Both SYN and ACK valid, use “control-code18 18” -SYN valid and ACK invalid, use “control-code2 18” Page Page Page Page This command shows the ingress or egress rule masks for IP ACLs show access-listip mask-precedence[in | out] •in – Ingress mask precedence for ingress ACLs •out – Egress mask precedence for egress ACLs Page Page Page Page Page Page MAC ACL •New rules are added to the end of the list •The ethertype option can only be used to filter Ethernet II formatted packets -0800 - IP -0806 - ARP Page •vid-bitmask – VLAN ID of rule must match this bitmask •ethertype – Check the Ethernet type field •ethertype-bitmask – Ethernet type of rule must match this bitmask MAC Mask •Up to seven masks can be assigned to an ingress or egress ACL This example creates an Egress MAC ACL This command shows the ingress or egress rule masks for MAC ACLs show access-listmac mask-precedence[in | out] mask (MAC ACL) (4-104) Page Page map access-listmac (4-108) Table 4-38ACL Information Commands show access-list Show all ACLs and associated rules show access-group Shows the ACLs assigned to each port SNMP Commands This command can be used to check the status of SNMP communications Page Page Page 6.Specify a remote engine ID where the user resides (page 4-117) 7.Then configure a remote user (page 4-122) snmp-serverenable traps (4-116) [no] snmp-serverenable traps [authentication | link-up-down] •authentication - Keyword to issue authentication failure notifications Page A remote engine ID is required when using SNMPv3 informs. (See This command shows the SNMP engine ID This example shows the default engine ID Local SNMP engineID String identifying the engine ID view-name oid-tree •view-name- Name of an SNMP view. (Range: 1-64characters) •included - Defines an included view •excluded - Defines an excluded view Page Page Page •encrypted - Accepts the password as encrypted input •auth - Uses SNMPv3 with authentication •md5 | sha - Uses MD5 or SHA authentication •priv des56 - Uses SNMPv3 with privacy with DES56 encryption Before you configure a remote user, use the This command shows information on SNMP users Table 4-43show snmp user - display description EngineId User Name Name of user connecting to the SNMP agent Interface Commands Page Page Page Page Page Shows the status for all interfaces This command displays interface statistics show interfaces counters [interface] Shows the counters for all interfaces show interfaces switchport [interface] Shows all interfaces Page Mirror Port Commands This command displays mirror information show port monitor [interface] interface - ethernet unit/port (source port) •unit - This is unit •port - Port number. (Range: 1-8) Rate Limit Commands Link Aggregation Commands Page Page Page Page Page Page Table 4-50show lacp internal - display description LACP port priority assigned to this interface within the channel group Table 4-51show lacp neighbors - display description Partner Admin Port Number Partner Oper partner Address Table Commands Table 4-53Address Table Commands dynamic Displays entries in the bridge-forwardingdatabase mac-address-table mac-address-tablestatic mac-address interface interface vlan vlan-id [action] no mac-address-tablestatic mac-address vlan vlan-id •mac-address - MAC address •vlan-id - VLAN ID (Range: 1-4094) •action Page Page Spanning Tree Commands Page Page Page Page Page Page Page Page Page Page Page Page spanning-tree edge-port (4-161) •auto - Automatically derived from the duplex mode setting •point-to-point- Point-to-pointlink •shared - Shared medium Specify a Page Page Page Page VLAN Commands Page Page shutdown (4-129) switchport mode {trunk | hybrid} no switchport mode trunk - Specifies a port as an All ports are in hybrid mode with the PVID set to VLAN switchport acceptable-frame-types (4-172) •all - The port accepts all frames, tagged or untagged •tagged - The port only receives tagged frames All frame types switchport mode (4-171) [no] switchport ingress-filtering Page switchport allowed vlan {add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan •add vlan-list - List of VLAN identifiers to add •remove vlan-list - List of VLAN identifiers to remove •All ports are assigned to VLAN 1 by default Page Page Table 4-59Private VLAN Commands pvlan Enables and configured private VLANS show pvlan Displays the configured private VLANS Page group-id frame no protocol-vlan protocol-group group-id •group-id - Group identifier of this protocol group. (Range: 1-2147483647) No protocol groups are configured Page GVRP and Bridge Extension Commands Page Page Page Priority Commands Page Page Page Page Page Page Page Page Page Page Page Multicast Filtering Commands Page The following shows how to statically configure a multicast group on a port: ip igmp snooping version {1 | 2} no ip igmp snooping version •1 - IGMP Version •2 - IGMP Version IGMP Version The following shows the current IGMP snooping configuration: This command shows known multicast addresses show mac-address-tablemulticast [vlan vlan-id][user | igmp-snooping] •user - Display only the user-configuredmulticast entries •igmp-snooping- Display only entries learned through IGMP snooping Page Page Page Page IP Interface Commands Page Page •DHCP requires the server to reassign the client’s last address if available In the following example, the device is reassigned the same address ip address (4-206) This command displays the settings for the switch’s IP interface This command shows the default gateway configured for this device ip default-gateway (4-207) This command sends ICMP echo request packets to another node on the network ping host [count count][size size] •host - IP address or IP alias of the host •count - Number of packets to send. (Range: 1-16,default: 5) DNS Commands Page Page ip domain-name (4-211) [no] ip name-server server-address1 [server-address2 … server-address6] [no] ip name-server •server-address1 - IP address of domain-nameserver ip domain-name (4-211)ip domain-lookup (4-214) [no] ip domain-lookup •At least one name server must be specified before you can enable DNS •If all name servers are deleted, DNS will automatically be disabled This example enables DNS and then displays the configuration ip domain-name (4-211)ip name-server (4-213) This command displays the static host name-to-addressmapping table This command displays the configuration of the DNS service Page Appendix A: Software Specifications A Software Specifications Management Information Bases A Page Appendix B: Troubleshooting B Troubleshooting Glossary Glossary-2 Glossary-3 Glossary-4 Glossary-5 Glossary-6 Index Index-2 Index-3 Index-4