Alcatel Carrier Internetworking Solutions 6300-24 4-85, IP ACLs , access-list ip

Access Control List Commands

4-85

4

IP ACLs access-list ip

This command adds an IP access list and enters configuration mo de for standard or

extended IP ACLs. Use the no form to remove the specified ACL.

Syntax

[no] access-list ip {standard | extended} acl_name

•standard – Specifies an ACL that filters packets based on the source IP

address.

•extended – Specifies an ACL that filters packets based on the source or

destination IP address, and other more specific criteria.

•acl_name – Name of the ACL. (Maximum length: 16 characters)

Default Setting

None

Command Mode

Global Configuration

Table4-33. IP ACLs

Command Function Mode Page

access-list ip Creates an IP ACL and enters configuration mode GC 4-85

permit, deny Filters packets matching a specified source IP ad dress STD-ACL 4-86

permit, deny Filters packets meeting the specified criteria, inclu ding

source and destination IP address, TCP/UDP port number,

protocol type, and TCP control code

EXT-ACL 4-87

show ip access-list Displays the rules for configured IP ACLs PE 4-89

access-list ip

mask-precedence Changes to the mode for configuring access control mas ks GC 4-89

mask Sets a precedence mask for the ACL rules IP-Mask 4-90

show access-list ip

mask-precedence Shows the ingress or egress rule masks for IP ACLs PE 4-93

ip access-group Adds a port to an IP ACL IC 4-94

show ip access-group Shows port assignments for IP ACLs PE 4-94

map access-list ip Sets the CoS value and c orresponding output queue for

packets matching an ACL rule IC 4-95

show map access-list ip Shows CoS value mapped to an access list for an interface PE 4-96

match access-list ip Changes the 802.1p priority, IP Precedence, or DSCP

Priority of a frame matching the defined rule (i.e., also called

packet marking)

IC 4-96

show marking Displays the current configuration for packet marking PE 4-97

Contents

Main Page Page Page Contents Page Page Page Page Page Page Page Page Page Page Page Tables Page Page Page Figures Page Page Page 1-1 Chapter 1: Introduction Key Features 1-2 Description of Software Features Description of Software Features 1-3 1-4 System Defaults 1-5 System Defaults 1-6 System Defaults 1-7 Page 2-1 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options 2-2 Required Connections 2-3 Remote Connections Basic Configuration Console Connection 2-4 Setting Passwords Setting an IP Address Manual Configuration 2-5 Dynamic Configuration 2-6 Enabling SNMP Management Access Community Strings 2-7 Trap Receivers Saving Configuration Settings 2-8 Managing System Files 3-1 Chapter 3: Configuring the Switch Using the Web Interface 3-2 Navigating the Web Browser Interface Home Page Configuration Options 3-3 Panel Display Main Menu 3-4 3-5 3-6 3-7 3-8 Basic Configuration Displaying System Information 3-9 Figure 3-5. System Information CLI Specify the hostname, location and contact information. 3-10 Displaying Switch Hardware/Software Versions 3-11 Displaying Bridge Extension Capabilities 3-12 Setting the Switchs IP Address 3-13 Manual Configuration 3-14 Using DHCP/BOOTP 3-15 Enabling Jumbo Frames Managing Firmware 3-16 Downloading System Software from a Server 3-17 Saving or Restoring Configuration Settings Downloading Configuration Settings from a Server 3-18 Console Port Settings 3-19 3-20 3-21 Telnet Settings 3-22 3-23 Configuring Event Logging System Logs 3-24 System Logs Configuration 3-25 Remote Logs Configuration 3-26 3-27 Sending Simple Mail Transfer Protocol Alerts Page 3-29 Resetting the System Setting the System Clock 3-30 Configuring SNTP 3-31 Setting the Time Zone Simple Network Management Protocol 3-32 3-33 Enabling SNMP Setting Community Access Strings 3-34 Specifying Trap Managers and Trap Types 3-35 Configuring SNMPv3 Management Access Setting an Engine ID 3-36 Configuring SNMPv3 Users 3-37 3-38 Configuring SNMPv3 Groups 3-39 3-40 Setting SNMPv3 Views 3-41 User Authentication Configuring the Logon Password 3-42 Configuring Local/Remote Logon Authentication 3-43 3-44 3-45 Configuring HTTPS 3-46 Replacing the Default Secure-site Certificate 3-47 Configuring the Secure Shell 3-48 3-49 Generating the Host Key Pair 3-50 3-51 Configuring the SSH Server 3-52 Configuring Port Security 3-53 3-54 Configuring 802.1x Port Authentication 3-55 Displaying 802.1x Global Settings 3-56 3-57 Configuring 802.1x Global Settings 3-58 Configuring Port Authorization Mode 3-59 Displaying 802.1x Statistics 3-60 Figure 3-31. 802.1X Statistics CLI This example displays the 802.1x statistics for port 4. 3-61 Access Control Lists Configuring Access Control Lists 3-62 Setting the ACL Name and Type Configuring a Standard IP ACL 3-63 Configuring an Extended IP ACL 3-64 3-65 3-66 Configuring a MAC ACL Page 3-68 Configuring ACL Masks Specifying the Mask Type 3-69 Configuring an IP ACL Mask 3-70 3-71 Configuring a MAC ACL Mask 3-72 Binding a Port to an Access Control List Filtering IP Addresses for Management Access 3-73 Filtering IP Addresses for Management Access 3-74 3-75 Port Configuration Displaying Connection Status 3-76 3-77 Configuring Interface Connections 3-78 3-79 Creating Trunk Groups 3-80 Statically Configuring a Trunk } active links statically configured 3-81 Enabling LACP on Selected Ports } } 3-82 3-83 Configuring LACP Parameters Page 3-85 Displaying LACP Port Counters You can display statistics for LACP protocol messages. Counter Information 3-86 Displaying LACP Settings and Status for the Local Side 3-87 Figure 3-48. LACP Settings - Local Side 3-88 Displaying LACP Settings and Status for the Remote Side 3-89 3-90 Setting Broadcast Storm Thresholds 3-91 Configuring Port Mirroring 3-92 Configuring Rate Limits 3-93 Showing Port Statistics 3-94 Statistical Values 3-95 3-96 Page 3-98 Alcatel Mapping Adjacency Protocol (AMAP) Configuring AMAP Alcatel Mapping Adjacency Protocol (AMAP) 3-99 Displaying AMAP Detected Devices 3-100 Address Table Settings Setting Static Addresses Address Table Settings 3-101 Displaying the Address Table 3-102 Changing the Aging Time 3-103 Spanning Tree Algorithm Configuration x x 3-104 Displaying Global Settings 3-105 3-106 3-107 Configuring Global Settings 3-108 3-109 Page 3-111 Displaying Interface Settings x x 3-112 3-113 3-114 Configuring Interface Settings 3-115 3-116 Configuring Multiple Spanning Trees 3-117 3-118 CLI This displays STA settings for instance 1, followed by settings for each port. CLI This example sets the priority for MSTI 1, and adds VLANs 1-5 to this MSTI. Displaying Interface Settings for MSTP 3-120 3-121 Configuring Interface Settings for MSTP 3-122 VLAN Configuration Overview 3-123 Assigning Ports to VLANs 3-124 3-125 Forwarding Tagged/Untagged Frames Enabling or Disabling GVRP (Global Setting) 3-126 Displaying Basic VLAN Information 3-127 Displaying Current VLANs 3-128 3-129 Creating VLANs 3-130 Adding Static Members to VLANs (VLAN Index) 3-131 3-132 Adding Static Members to VLANs (Port Index) 3-133 Configuring VLAN Behavior for Interfaces 3-134 3-135 Configuring Private VLANs x Enabling Private VLANs 3-136 Configuring Uplink and Downlink Ports Configuring Protocol-Based VLANs 3-137 Configuring Protocol Groups Mapping Protocols to VLANs 3-138 3-139 Class of Service Configuration Setting the Default Priority for Interfaces 3-140 3-141 Mapping CoS Values to Egress Queues 3-142 3-143 Selecting the Queue Mode Setting the Service Weight for Traffic Classes 3-144 3-145 Mapping Layer 3/4 Priorities to CoS Values Selecting IP Precedence/DSCP Priority 3-146 Mapping IP Precedence 3-147 Mapping DSCP Priority 3-148 3-149 Mapping IP Port Priority 3-150 Mapping CoS Values to ACLs 3-151 Changing Priorities Based on ACL Rules 3-152 3-153 Quality of Service Configuring Quality of Service Parameters 3-154 Configuring a Class Map Page 3-156 Creating QoS Policies 3-157 Page 3-159 Attaching a Policy Map to Ingress and Egress Queues 3-160 Multicast Filtering Layer 2 IGMP (Snooping and Query) 3-161 Configuring IGMP Snooping and Query Parameters 3-162 Displaying Interfaces Attached to a Multicast Router 3-163 Specifying Static Interfaces for a Multicast Router 3-164 Displaying Port Members of Multicast Services 3-165 Assigning Ports to Multicast Services 3-166 Configuring Domain Name Service 3-167 Configuring General DNS Server Parameters 3-168 3-169 Configuring Static DNS Host to Address Entries 3-170 3-171 Displaying the DNS Cache 3-172 CLI - This example displays all the resource records learned from the designated name servers. 4-1 Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection 4-2 Entering Commands 4-4 Showing Commands The command show interfaces ? will display the following information: Entering Commands 4-5 Partial Keyword Lookup Negating the Effect of Commands Using Command History 4-6 Exec Commands Configuration Commands Entering Commands 4-7 Command Line Processing 4-8 Command Groups 4-9 Command Groups The system commands can be broken down into the functional groups s hown below 4-10 Line Commands line 4-11 login 4-12 password 4-13 timeout login response 4-14 exec-timeout password-thresh 4-15 silent-time 4-16 databits parity 4-17 speed stopbits 4-18 disconnect show line General Commands 4-19 General Commands enable 4-20 disable configure General Commands 4-21 show history 4-22 reload end exit 4-23 System Management Commands 4-24 Device Designation Commands prompt 4-25 hostname User Access Commands username 4-26 enable password 4-27 IP Filter Commands management 4-28 show management 4-29 Web Server Commands ip http port 4-30 ip http server ip http secure-server 4-31 ip http secure-port 4-32 Secure Shell Commands 4-33 4-34 ip ssh server 4-35 ip ssh timeout 4-36 ip ssh authentication-retries ip ssh server-key size 4-37 delete public-key ip ssh crypto host-key generate 4-38 ip ssh crypto zeroize ip ssh save host-key 4-39 show ip ssh show ssh 4-40 show public-key 4-41 Event Logging Commands logging on 4-42 logging history 4-43 logging host logging facility 4-44 logging trap clear logging 4-45 show logging 4-46 The following example displays settings for the trap function. show logging sendmail (4-49) SMTP Alert Commands 4-47 logging sendmail host logging sendmail level 4-48 logging sendmail source-email logging sendmail destination-email 4-49 logging sendmail show logging sendmail 4-50 Time Commands sntp client 4-51 sntp server 4-52 sntp poll show sntp 4-53 clock timezone calendar set 4-54 show calendar System Status Commands show startup-config 4-55 4-56 Example show running-config (4-57) 4-57 show running-config 4-58 Example show startup-config (4-54) 4-59 show system 4-60 show users show version 4-61 Frame Size Commands jumbo frame 4-62 Flash/File Commands copy Flash/File Commands 4-63 4-64 delete Flash/File Commands 4-65 dir 4-66 whichboot boot system 4-67 Authentication Commands Authentication Sequence 4-68 authentication login 4-69 authentication enable 4-70 RADIUS Client radius-server host radius-server port 4-71 radius-server key radius-server retransmit 4-72 radius-server timeout show radius-server 4-73 TACACS+ Client tacacs-server host tacacs-server port 4-74 tacacs-server key show tacacs-server 4-75 Port Security Commands port security 4-76 802.1x Port Authentication 4-77 authentication dot1x default dot1x default 4-78 dot1x max-req dot1x port-control 4-79 dot1x operation-mode dot1x re-authenticate 4-80 dot1x re-authentication dot1x timeout quiet-period dot1x timeout re-authperiod 4-81 dot1x timeout tx-period show dot1x 4-82 4-83 Access Control List Commands 4-84 4-85 IP ACLs access-list ip 4-86 permit, deny (Standard ACL) 4-87 permit, deny (Extended ACL) 4-88 4-89 show ip access-list access-list ip mask-precedence 4-90 mask (IP ACL) 4-91 4-92 4-93 show access-list ip mask-precedence 4-94 ip access-group show ip access-group 4-95 map access-list ip 4-96 show map access-list ip match access-list ip 4-97 show marking 4-98 MAC ACLs access-list mac 4-99 permit, deny (MAC ACL) 4-100 show mac access-list 4-101 access-list mac mask-precedence 4-102 mask (MAC ACL) 4-103 This example creates an Egress MAC ACL. 4-104 show access-list mac mask-precedence mac access-group 4-105 show mac access-group map access-list mac 4-106 show map access-list mac match access-list mac 4-107 ACL Information show access-list 4-108 show access-group SNMP Commands 4-109 snmp-server community 4-110 snmp-server contact snmp-server location 4-111 snmp-server host 4-112 snmp-server enable traps 4-113 show snmp 4-114 snmp-server snmp-server engine-id 4-115 show snmp engine-id snmp-server view 4-116 show snmp view 4-117 snmp-server group show snmp group 4-118 Example Table4-3. SNMP Group 4-119 snmp-server user show snmp user 4-120 DHCP Commands DHCP Client ip dhcp client-identifier DHCP Commands 4-121 ip dhcp restart client 4-122 DNS Commands ip host 4-123 clear host ip domain-name 4-124 ip domain-list 4-125 ip name-server 4-126 ip domain-lookup 4-127 show hosts show dns 4-128 show dns cache This command displays entries in the DNS cache. Command Mode Example clear dns cache Interface Commands 4-130 interface 4-131 description speed-duplex 4-132 negotiation 4-133 capabilities 4-134 flowcontrol 4-135 combo-forced-mode shutdown 4-136 switchport broadcast packet-rate 4-137 clear counters 4-138 show interfaces status 4-139 show interfaces counters 4-140 show interfaces switchport Mirror Port Commands 4-141 Mirror Port Commands port monitor 4-142 show port monitor AMAP Configuration 4-143 AMAP Configuration 4-144 amap enable amap run amap discovery timer AMAP Configuration 4-145 amap common timer show amap 4-146 Rate Limit Commands rate-limit 4-147 Link Aggregation Commands 4-148 channel-group 4-149 lacp 4-150 lacp system-priority 4-151 lacp admin-key (Ethernet Interface) 4-152 lacp admin-key (Port Channel) 4-153 lacp port-priority show lacp 4-154 Default Setting Port Channel: all Command Mode Example 4-155 4-156 Address Table Commands 4-157 Address Table Commands mac-address-table static 4-158 clear mac-address-table dynamic show mac-address-table Address Table Commands 4-159 mac-address-table aging-time 4-160 show mac-address-table aging-time Spanning Tree Commands 4-161 spanning-tree 4-162 spanning-tree mode 4-163 spanning-tree forward-time 4-164 spanning-tree hello-time spanning-tree max-age 4-165 spanning-tree priority 4-166 spanning-tree pathcost method spanning-tree transmission-limit 4-167 spanning-tree mst-configuration mst vlan 4-168 mst priority 4-169 name revision 4-170 max-hops 4-171 spanning-tree spanning-disabled spanning-tree cost 4-172 spanning-tree port-priority spanning-tree edge-port 4-173 spanning-tree portfast 4-174 spanning-tree link-type 4-175 spanning-tree mst cost 4-176 spanning-tree mst port-priority spanning-tree protocol-migration 4-177 show spanning-tree 4-178 show spanning-tree mst configuration 4-179 VLAN Commands Editing VLAN Groups 4-180 vlan database vlan 4-181 Configuring VLAN Interfaces interface vlan 4-182 switchport mode 4-183 switchport acceptable-frame-types switchport ingress-filtering 4-184 switchport native vlan 4-185 switchport allowed vlan 4-186 switchport forbidden vlan 4-187 Displaying VLAN Information show vlan Configuring Protocol-based VLANs 4-188 protocol-vlan protocol-group (Configuring Groups) 4-189 protocol-vlan protocol-group (Configuring Interfaces) 4-190 show protocol-vlan protocol-group show interfaces protocol-vlan protocol-group 4-191 Configuring Private VLANs pvlan 4-192 show pvlan GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands 4-193 bridge-ext gvrp show bridge-ext 4-194 switchport gvrp show gvrp configuration GVRP and Bridge Extension Commands 4-195 garp timer 4-196 show garp timer 4-197 Priority Commands Priority Commands (Layer 2) switchport priority default 4-198 queue mode 4-199 queue bandwidth 4-200 queue cos-map 4-201 show queue mode show queue bandwidth 4-202 show queue cos-map Priority Commands (Layer 3 and 4) 4-203 map ip port (Global Configuration) map ip port (Interface Configuration) 4-204 map ip precedence (Global Configuration) map ip precedence (Interface Configuration) 4-205 map ip dscp (Global Configuration) 4-206 map ip dscp (Interface Configuration) 4-207 map access-list ip 4-208 show map ip port show map ip precedence 4-209 show map ip dscp 4-210 Example Quality of Service Commands 4-211 class-map 4-212 match 4-213 policy-map 4-214 class set 4-215 police 4-216 service-policy show class-map 4-217 show policy-map show policy-map interface 4-218 Multicast Filtering Commands IGMP Snooping Commands ip igmp snooping 4-219 ip igmp snooping vlan static 4-220 ip igmp snooping version show ip igmp snooping 4-221 show mac-address-table multicast 4-222 IGMP Query Commands (Layer 2) ip igmp snooping querier ip igmp snooping query-count 4-223 ip igmp snooping query-interval 4-224 ip igmp snooping query-max-response-time ip igmp snooping router-port-expire-time 4-225 Static Multicast Routing Commands ip igmp snooping vlan mrouter 4-226 show ip igmp snooping mrouter 4-227 IP Interface Commands Basic IP Configuration ip address 4-228 ip default-gateway 4-229 ip dhcp restart show ip interface 4-230 show ip redirects ping 4-231 Page A-1 Appendix A: Software Specifications Software Features Software Specifications A-2 A Management Features Standards Management Information Bases A-3 A Management Information Bases Page B-1 Appendix B: Troubleshooting Page Glossary Page Page Page Page Page Index Index-1 Numerics A B Index-2 Index H I J L Index-3 Index Q R S