AMX NXA-ENET24 Access Control List Commands

CLI (Command Line Interface)

209

NXA-ENET24 - Software Management Guide

Access Control List Commands

Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4

protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter

packets, first create an access list, add the required rules, specify a mask to modify the precedence in which the

rules are checked, and then bind the list to a specific port.

Access Control Lists

An ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other

more specific criteria. This switch tests ingress or egress packets against the conditions in an ACL one by one.

A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If

no rules match for a list of all permit rules, the packet is dropped; and if no rules match for a list of all deny

rules, the packet is accepted.

There are three filtering modes:

 Standard IP ACL mode (STD-ACL) filters packets based on the source IP address.

 Extended IP ACL mode (EXT-ACL) filters packets based on source or destination IP address, as

well as protocol type and protocol port number.

If the TCP protocol is specified, then you can also filter packets based on the TCP control code.

 MAC ACL mode (MAC-ACL) filters packets based on the source or destination MAC address and

the Ethernet frame type (RFC 1060).

The following restrictions apply to ACLs:

 This switch supports ACLs for both ingress and egress filtering.

However, you can only bind one IP ACL and one MAC ACL to any port for ingress filtering, and

one IP ACL and one MAC ACL to any port for egress filtering. In other words, only four ACLs can

be bound to an interface – Ingress IP ACL, Egress IP ACL, Ingress MAC ACL and Egress MAC

ACL.

 When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules.

Otherwise, the bind operation will fail.

 Each ACL can have up to 32 rules.

 The maximum number of ACLs is also 32. However, due to resource restrictions, the average

number of rules bound the ports should not exceed 20.

 You must configure a mask for an ACL rule before you can bind it to a port or set the queue or

frame priorities associated with the rule.

 The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress

MAC ACLs. If these rules are included in ACL, and you attempt to bind the ACL to an interface for

egress checking, the bind operation will fail.

802.1x Port Authentication Commands (Cont.)

Command Function

show dot1x (Cont.) Operation mode Single-Host

Max count 5

Port-control Auto

Supplicant 00-00-e8-49-5e-dc

Current Identifier 3

Authenticator State Machine

State Authenticated

Reauth Count 0

Backend State Machine

State Idle

Request Count 0

Identifier(Server) 2

Reauthentication State Machine

State Initialize

802.1X is disabled on port 1/26

Console#