Manuals / Asante Technologies / Computer Equipment / Switch

Asante Technologies 3624/48 Access Lists, Creating an Access List, Configuring an Access List

Models: 3624/48

1 145

Download 145 pages 53.25 Kb

Page 50

6.3 Access Lists

An access list is a criteria statement that the switch uses to determine whether to allow or block traffic based on MAC addresses, IP addresses, or UDP/TCP ports. Access lists can be configured to provide basic security on your network, and to prevent unnecessary traffic between network segments. Access lists are applied to inbound traffic only.

When configuring an access list, an argument of ‘priority’ must be specified. The priority of an ACL is important, as the switch tests addresses of each packet against the criteria in access lists one by one (in the order of the priority) until it finds a match. One of the arguments in specifying the access list is the ‘mask’ that comes after a MAC address or IP address. This argument identifies which bits in the address field are to be matched. A “1” indicates that positions must match; a “0” indicates that position is ignored

The check of a match comes first for an access list with lower priority(lower value) than those with higher priority values. The last match determines whether the software accepts or rejects the address. In case of multiple matches, the match in IP mode takes precedence over that in MAC mode. Because the switch goes through the whole set of access lists to find matches, the priority of the ACL is critical.

Important! By default, if no conditions match, the switch allows the address.

The switch supports up to 256 access lists, and MAC address based access lists can not exceed 64.

An access list can be configured using the command and its arguments in configuration mode below:

access-list name acl1 ?

add	Create a new access-list
action	Specify the action of the ACL entry
clear	Clear ACL entry contents
delete	Remove the ACL entry
enable	Enable the ACL entry
disable	Disable the ACL entry
set	Set ACL entry contents

6.3.1 Creating an Access List

To create an access list, use the command below:

Command	Purpose

access-list name acl1 add priority 1	Create an access list named ‘acl_name’ with priority 1

6.3.2 Configuring an Access List

To configure an access list, use the command below:

50

Asante IntraCore IC3624/48

User’s Manual

Image 50

Asante Technologies 3624/48 user manual Access Lists, Creating an Access List, Configuring an Access List

Contents

IntraCore 3624/48 User’s Manual24/48 Port 10/100 + 2/4 Gigabit Ethernet Switch 24/48 Port 10/100 + 2/4 Gigabit Ethernet Switch User’s Manual IntraCore 3624/48Table of Contents Managing the System 5.5.1 Spanning Tree Parameters Chapter 10 CLI Commands 9.1 Main Configuration Menu9.2.3 System Time Setting Appendix A Basic Troubleshooting1.1 Features Chapter 1 IntroductionFunction 1.2 System DefaultsDefault Parameter1000BASE-T 1000BASE-SX/LX/LHIP Settings 3624 Front Panel 1.3 Package Contents1.4 Front and Back Panel Descriptions 3624 Rear PanelEthernet ports 3648 Front Panel3648 Rear Panel Mini GBIC ports1.5.1 Console Interface 1.5 Management and Configuration1.4.1 LEDs 2.1.1 Safety Overview Chapter 2 Hardware Installation and Setup2.1 Installation Overview 2.1.3 Power Requirements 2.2 Installing into an Equipment Rack2.1.2 Recommended Installation Tools 2.1.4 Environmental Requirements2.3 SFP Mini GBIC Ports 2.2.1 Equipment Rack Guidelines2.5.1 10/100/1000BaseT Ports Cabling Procedures 2.4 Connecting Power2.5 Connecting to the Network Pin Number 2.5.2 Gigabit Ethernet Ports Cabling ProceduresPair Number & Wire Colors 1000BaseLZ GBIC Cables with SC-type fiber connectors 10µ single-mode fiber media up to 120 km 393,701 Chapter 3 Initial Software Setup 3.1 Connecting to a Consolee. Press the Configuration button from the Connect To window e 3.4 Configuring an IP Address 3.2 Connecting to a PC3.3 Username and Password Switch# configuration3.5 Restoring Factory Defaults Switch# clear config Switch# saveInterface Configuration Mode Switchinterface ## Chapter 4 Understanding the Command Line Interface CLIPrivileged Top Mode Switch# 4.1 User Top User EXEC ModeCommand ? 4.2 Privileged Top Privileged EXEC Modeshow ? PurposeCOMMAND enable COMMAND enable Username admin Password Switch#Command Enters the privileged EXEC mode4.3 Global Configuration Mode 4.3.1 Interface Configuration Mode 4.4 Advanced Features Supported within the Command Mode Switch# configuration ? cr 4.5 Using CLI Command History 4.6 Using Command-Line Editing Features and Shortcuts 4.6.1 Moving Around on the Command Line4.6.2 Completing a Partial Command Name 4.6.3 Deleting Entries5.1 Managing the System Chapter 5 Managing the System and Configuration Files5.1.1 Setting the System Clock 5.1.2 Specify the Hostname 5.1.3 Enable the System Log5.1.4 Displaying the Operating Configuration 5.1.5 Test Connections with Ping Tests5.2.2 Copying Configuration Files to a Network Server 5.2 Managing Configuration Files5.2.1 Configuring from the Terminal Switch# show running-config5.2.3 Copying Configuration Files from a Network Server to the Switch 5.3.1 Saving System image to a Network Server 5.4 Configuring SNMP5.3 Managing system image Files 5.3.2 Replacing System image from a Network Server5.4.1 Configuring SNMP Support 5.5 Spanning Tree Algorithm 5.5.1 Spanning Tree ParametersPort Priority 5.5.2 Rapid Spanning Tree Protocol RSTPPriority Port Path Cost5.5.3 Configuring spanning-tree Use the following interface mode command to configure port link-type Command Asante IntraCore IC3624/48 User’s ManualAddress or Range Chapter 6 Configuring IPClass Status6.1 Establish Address Resolution 6.2.1 IGMP Overview 6.2.2 Configuring IGMP6.2 Managing IP Multicast Traffic Switchconfig# set igmp query-interval CommandConfigure the frequency at which the designated switch sends Purpose6.3.2 Configuring an Access List 6.3 Access Lists6.3.1 Creating an Access List SwitchConfig# access-list name aclmac add priority 6.3.3 Applying an Access List to an Interface 6.3.4 Enabling an Access ListChapter 7 VLAN Configuration 7.1 Creating or Modifying a VLANvlan port all ports…… 7.2.1 configuring vlan ports7.2 VLAN Port Membership Purpose 7.2.2 Trunk IEEE 802.1qCommand interface IFNUMBERAsante IntraCore IC3624/48 User’s Manual8.1 Scheduling algorithm Chapter 8 Quality of Service Configuration8.1.1 Configuring Weighted Round Robin 8.2.1 Priority Mapping 8.1.2 Monitoring Weighted Round Robin8.2 Priority Queuing 8.2.4 IP Based QOS 8.2.2 Port Based QOS8.2.3 802.1P Based QOS 8.4 Rate Limiting 8.3.1 Configuring Traffic Shaping for an Interface8.3 Traffic Shaping Enter the username and password then click the “OK” button Chapter 9 Configuring the Switch Using the GUIThe defaults are IP Address Username admin Password Asante capital A The following example shows the main Configuration Menu 9.1 Main Configuration MenuSecurity QoS SNMP LLDP Admin Statistics Help Logout System Port Management VLAN Management Spanning Tree MulticastSave the settings when done by clicking the “Save Settings” button 9.2 System9.2.1 System System Information Asante IntraCore IC3624/489.2.2 System Network management Status ClassAddress or Range User’s Manual 9.2.3 System Time SettingAsante IntraCore IC3624/48 User’s Manual 9.2.4 System - Green EthernetAsante IntraCore IC3624/48 When a port number is clicked the subscreen appears 9.3 Port Management - Port ConfigThe Port Management section displays assorted settings for each port Asante IntraCore IC3624/48Asante IntraCore IC3624/48 User’s Manual9.4 VLAN Management Asante IntraCore IC3624/48Asante IntraCore IC3624/48 User’s ManualAsante IntraCore IC3624/48 User’s ManualVLAN MANAGEMENT - VLAN PORT. This screen allows additional settings to be controlled on a per port basis. Here the PVID can be changed to. Changing the PVID in required to force the port to respond to a particular VLAN. Becoming a member of a VLAN is only the start. The port PVID must be changed to cause it to respond only to the desired VLAN 9.5 Spanning Tree Path cost = 1000/LAN speed in Mbps Asante IntraCore IC3624/48 MSTP. Multiple Spanning Tree Protocol can be enabled on this pageIndividual Port properties can be manipulated at this screen User’s ManualUser’s Manual MST Instance parameters can be modified on the following two screensAsante IntraCore IC3624/48 User’s Manual 9.6 MulticastAsante IntraCore IC3624/48 Asante IntraCore IC3624/48 User’s ManualAsante IntraCore IC3624/48 9.7 Security - Port SecurityAccess control lists can be established using this screen User’s ManualUser’s Manual 802.1X can be enabled on a per port basisAsante IntraCore IC3624/48 User’s Manual TACAS+ and Storm Control are available on the next screensAsante IntraCore IC3624/48 Management IP list can be used to enter a list of IP addresses to limit the availability of switch Management User’s Manual 9.8 QoSAsante IntraCore IC3624/48 Asante IntraCore IC3624/48 User’s ManualAsante IntraCore IC3624/48 User’s ManualAsante IntraCore IC3624/48 User’s ManualAsante IntraCore IC3624/48 User’s Manual9.9 SNMP User’s Manual SNMP ContinuedAsante IntraCore IC3624/48 User’s Manual 9.10 LLDPAsante IntraCore IC3624/48 Asante IntraCore IC3624/48 User’s Manual9.11 Admin - Admin Password User’s Manual Static addresses can be added using this screenAsante IntraCore IC3624/48 Port Mirroring - To set up a mirror, identify the port to be mirrored by checking the ingress mirror, or egress mirror for the port. Next select the port to mirror the information to Asante IntraCore IC3624/48 User’s ManualAsante IntraCore IC3624/48 User’s ManualAsante IntraCore IC3624/48 User’s ManualAsante IntraCore IC3624/48 User’s ManualUser’s Manual Cable diagnostic a cable test that can be run for each portAsante IntraCore IC3624/48 Asante IntraCore IC3624/48 User’s ManualUser’s Manual 9.12 StatisticsAsante IntraCore IC3624/48 Asante IntraCore IC3624/48 User’s ManualAsante IntraCore IC3624/48 User’s ManualAsante IntraCore IC3624/48 User’s ManualAsante IntraCore IC3624/48 9.13 HelpGeneral help is available for many screens User’s ManualAsante IntraCore IC3624/48 9.14 LogoutUse this screen to logout and close the session User’s ManualAsante IntraCore IC3624/48 User’s ManualCommand Prompt COMMAND Privileged Mode Chapter 10 CLI Commands10.2 User Mode commands Command Prompt Switch# Global Config ModeFormat enable 10.3 Privileged Mode commands10.2.6 enable 10.3.2.2 clear config10.3.2.5 clear static-mcast 10.3.2.10 configuration10.3.4.1 copy nvramconfig 10.3.2.6 clear pass1 show dot1x config 2 show qos queue-settingsshow qos advanced mode 10.3.8 ping10.3.11.3 show igmp snooping 2 show dot1x radius3 show dot1x statistics 1 show igmp snooping dynamicrouterport10.3.11.7 show logging 10.3.11.13 show running-config4 show lldp msap-entry 2 show logging flash-log2show snmp users 10.3.11.14 show snmp1 show snmp groups 3 show snmp communities2 show switch age-time 10.3.11.19 show switch1 show switch admin-time 3 show switch mac-table6 Show rmon history 10.4 Global Config mode commandsShow rmon event log 7Show rmon statistics10.4.2.4 vlan port vlan port all port-configurevlan port ports port-configure 1 vlan port all10.4.6.2 lldp disable 10.4.5.2 link aggregation delport This command remove ports from LAG10.4.6 LLDP 10.4.6.1 lldp enable 10.4.6.7 lldp reinit-delay10.4.7 Log 10.4.10 mgmt-accesslist commands 10.4.10.1 mgmt-accesslist ipaddr10.4.10.2 mgmt-accesslist enable 10.4.7.1 Log log-server10.4.11.2 monitor disable 10.4.10.3 mgmt-accesslist disable10.4.11 monitor commands 10.4.11.1 monitor enable 10.4.12 dot1x commands 10.4.12.1 dot1x enable10.4.13.6 network admin-timeout 10.4.13.4 network dhcp-relay Configure switch dhcp relay functions1 network dhcp-relay mode 10.4.14 port-all commands 10.4.14.1 port-all admin-mode2 port-all portsec-lockmode static 10.4.14.4 port-all portsec-lockmode Configure port security10.4.14.3 port-all flow-control 3 port-all portsec-lockmode dynamic4 port-all storm-control broadcast-unknown 10.4.15 qos commands10.4.15.1 qos qos-advanced Configure qos advanced mode 5 port-all storm-control all-cast2 set igmp disable 10.4.16 set commands 10.4.16.1 set IGMP1 set igmp enable 3 set igmp last-memberquery10.4.17.2 snmp group 10.4.17 snmp commands 10.4.17.1 snmp notifysnmp trapstation add ip-addr community community name type bootup 1 snmp group add1 sntp localtime enable 10.4.18 sntp commands 10.4.18.1 sntp daylight10.4.18.2 sntp localtime Configure the local time 2 sntp localtime localtimedate This command sets local time3 spanning-tree forceversion none 10.4.110.2 spanning-tree configuration1 spanning-tree configuration name 10.4.110.3 spanning-tree forward-time10.4.22.2 rmon alarm 10.4.20 User commands10.4.21 Interface commands 10.4.110.8 spanning-tree mst2 access-list name WORD action permit 2 rmon del alarm10.4.23 access list commands 1 access-list name WORD clears SRC IP10.4.23.6 access-list name WORD set 5 access-list name WORD clear mac SA7access-list name WORD clear VID 3 access-list name WORD set L4port10.4.24 arp Commands access-list name WORD set l4port DST-port5 access-list name WORD set mac-mode 1 arp dynamic enables and disables10.5.1 exit command 10.5 Interface Config mode commands10.4.25 dos Commands 10.5.2 dot1x command Set 802.1x port control10.5.6.4 Configures which TLVs are enabled for transmission 10.5.6 lldp command10.5.6.3 Configure med notifications 10.5.6.1 lldp state set lldp status10.5.11 port-security command 10.5.7 admin-mode10.5.10 flow-control command flow-control enable 10.5.12 qos command10.5.17 spanning-tree command 10.5.17.1 spanning-tree cost 10.5.14.5 storm-control all-cast This command storm control limited10.5.15 rmon-counter command 10.5.14.4 storm-control broadcast-unknown10.5.17.7 spanning-tree priority 1vlan participation exclude This command leave a vlan10.5.17.6 spanning-tree participation 2 vlan participationPossible Solutions Appendix A Basic TroubleshootingProblem Performance Specifications Appendix B SpecificationsStatus Indicators Management SpecificationsPackage Content L2+ Management SpecificationsEnvironmental Specifications WarrantyC.1 FCC Compliance Statement Appendix C FCC Compliance and Warranty StatementsC.2 Important Safety Instructions C.3 IntraCore Warranty Statement Default IndexConnecting Commandhost-query monitoring configurationbandwidth 57, 58, 59