Access Lists, Creating an Access List | Asante Technologies 3624/48

6.3 Access Lists

An access list is a criteria statement that the switch uses to determine whether to allow or block traffic based on MAC addresses, IP addresses, or UDP/TCP ports. Access lists can be configured to provide basic security on your network, and to prevent unnecessary traffic between network segments. Access lists are applied to inbound traffic only.

When configuring an access list, an argument of ‘priority’ must be specified. The priority of an ACL is important, as the switch tests addresses of each packet against the criteria in access lists one by one (in the order of the priority) until it finds a match. One of the arguments in specifying the access list is the ‘mask’ that comes after a MAC address or IP address. This argument identifies which bits in the address field are to be matched. A “1” indicates that positions must match; a “0” indicates that position is ignored

The check of a match comes first for an access list with lower priority(lower value) than those with higher priority values. The last match determines whether the software accepts or rejects the address. In case of multiple matches, the match in IP mode takes precedence over that in MAC mode. Because the switch goes through the whole set of access lists to find matches, the priority of the ACL is critical.

Important! By default, if no conditions match, the switch allows the address.

The switch supports up to 256 access lists, and MAC address based access lists can not exceed 64.

An access list can be configured using the command and its arguments in configuration mode below:

access-list name acl1 ?

add	Create a new access-list
action	Specify the action of the ACL entry
clear	Clear ACL entry contents
delete	Remove the ACL entry
enable	Enable the ACL entry
disable	Disable the ACL entry
set	Set ACL entry contents

6.3.1 Creating an Access List

To create an access list, use the command below:

Command	Purpose

access-list name acl1 add priority 1	Create an access list named ‘acl_name’ with priority 1

6.3.2 Configuring an Access List

To configure an access list, use the command below:

50

Asante IntraCore IC3624/48

User’s Manual

Image 50

Asante Technologies 3624/48 user manual Access Lists, Creating an Access List, Configuring an Access List

Contents

IntraCore 3624/48 User’s Manual24/48 Port 10/100 + 2/4 Gigabit Ethernet Switch 24/48 Port 10/100 + 2/4 Gigabit Ethernet Switch User’s Manual IntraCore 3624/48 Table of Contents Managing the System 5.5.1 Spanning Tree Parameters Chapter 10 CLI Commands 9.1 Main Configuration Menu9.2.3 System Time Setting Appendix A Basic Troubleshooting 1.1 Features Chapter 1 Introduction Function 1.2 System DefaultsDefault Parameter 1000BASE-T 1000BASE-SX/LX/LH IP Settings 3624 Front Panel 1.3 Package Contents1.4 Front and Back Panel Descriptions 3624 Rear Panel 3648 Front Panel 3648 Rear Panel 1.5.1 Console Interface 1.5 Management and Configuration1.4.1 LEDs 2.1.1 Safety Overview Chapter 2 Hardware Installation and Setup2.1 Installation Overview 2.1.3 Power Requirements 2.2 Installing into an Equipment Rack2.1.2 Recommended Installation Tools 2.1.4 Environmental Requirements 2.3 SFP Mini GBIC Ports 2.2.1 Equipment Rack Guidelines 2.5.1 10/100/1000BaseT Ports Cabling Procedures 2.4 Connecting Power2.5 Connecting to the Network Pin Number 2.5.2 Gigabit Ethernet Ports Cabling ProceduresPair Number & Wire Colors 1000BaseLZ GBIC Cables with SC-type fiber connectors 10µ single-mode fiber media up to 120 km 393,701 Chapter 3 Initial Software Setup 3.1 Connecting to a Console e. Press the Configuration button from the Connect To window e 3.4 Configuring an IP Address 3.2 Connecting to a PC3.3 Username and Password Switch# configuration 3.5 Restoring Factory Defaults Switch# clear config Switch# save Interface Configuration Mode Switchinterface ## Chapter 4 Understanding the Command Line Interface CLIPrivileged Top Mode Switch# 4.1 User Top User EXEC Mode Command ? show ?4.2 Privileged Top Privileged EXEC Mode Purpose COMMAND enable COMMAND enable Username admin Password Switch#Command Switch# ? 4.3 Global Configuration Mode 4.3.1 Interface Configuration Mode 4.4 Advanced Features Supported within the Command Mode Switch# configuration ? cr 4.5 Using CLI Command History 4.6 Using Command-Line Editing Features and Shortcuts 4.6.1 Moving Around on the Command Line 4.6.2 Completing a Partial Command Name 4.6.3 Deleting Entries 5.1 Managing the System Chapter 5 Managing the System and Configuration Files5.1.1 Setting the System Clock 5.1.2 Specify the Hostname 5.1.3 Enable the System Log5.1.4 Displaying the Operating Configuration 5.1.5 Test Connections with Ping Tests 5.2.2 Copying Configuration Files to a Network Server 5.2 Managing Configuration Files5.2.1 Configuring from the Terminal Switch# show running-config 5.2.3 Copying Configuration Files from a Network Server to the Switch 5.3.1 Saving System image to a Network Server 5.4 Configuring SNMP5.3 Managing system image Files 5.3.2 Replacing System image from a Network Server 5.4.1 Configuring SNMP Support 5.5 Spanning Tree Algorithm 5.5.1 Spanning Tree Parameters Port Priority 5.5.2 Rapid Spanning Tree Protocol RSTPPriority Port Path Cost 5.5.3 Configuring spanning-tree Use the following interface mode command to configure port link-type Command Asante IntraCore IC3624/48 Address or Range Chapter 6 Configuring IPClass Status 6.1 Establish Address Resolution 6.2.1 IGMP Overview 6.2.2 Configuring IGMP6.2 Managing IP Multicast Traffic Switchconfig# set igmp query-interval CommandConfigure the frequency at which the designated switch sends Purpose 6.3.2 Configuring an Access List 6.3 Access Lists6.3.1 Creating an Access List SwitchConfig# access-list name aclmac add priority 6.3.3 Applying an Access List to an Interface 6.3.4 Enabling an Access List Chapter 7 VLAN Configuration 7.1 Creating or Modifying a VLAN vlan port all ports…… 7.2.1 configuring vlan ports7.2 VLAN Port Membership Vlan participation 7.2.2 Trunk IEEE 802.1qinterface IFNUMBER Asante IntraCore IC3624/48 8.1 Scheduling algorithm Chapter 8 Quality of Service Configuration8.1.1 Configuring Weighted Round Robin 8.2.1 Priority Mapping 8.1.2 Monitoring Weighted Round Robin8.2 Priority Queuing 8.2.4 IP Based QOS 8.2.2 Port Based QOS8.2.3 802.1P Based QOS 8.4 Rate Limiting 8.3.1 Configuring Traffic Shaping for an Interface8.3 Traffic Shaping Enter the username and password then click the “OK” button Chapter 9 Configuring the Switch Using the GUIThe defaults are IP Address Username admin Password Asante capital A The following example shows the main Configuration Menu 9.1 Main Configuration MenuSecurity QoS SNMP LLDP Admin Statistics Help Logout System Port Management VLAN Management Spanning Tree Multicast Save the settings when done by clicking the “Save Settings” button 9.2 System9.2.1 System System Information 9.2.2 System Network management Status 9.2.3 System Time Setting 9.2.4 System - Green Ethernet When a port number is clicked the subscreen appears 9.3 Port Management - Port ConfigThe Port Management section displays assorted settings for each port Asante IntraCore IC3624/48 9.4 VLAN Management Asante IntraCore IC3624/48 User’s Manual Asante IntraCore IC3624/48 VLAN MANAGEMENT - VLAN PORT. This screen allows additional settings to be controlled on a per port basis. Here the PVID can be changed to. Changing the PVID in required to force the port to respond to a particular VLAN. Becoming a member of a VLAN is only the start. The port PVID must be changed to cause it to respond only to the desired VLAN 9.5 Spanning Tree Path cost = 1000/LAN speed in Mbps MSTP. Multiple Spanning Tree Protocol can be enabled on this page Individual Port properties can be manipulated at this screen MST Instance parameters can be modified on the following two screens 9.6 Multicast Asante IntraCore IC3624/48 9.7 Security - Port Security Access control lists can be established using this screen 802.1X can be enabled on a per port basis TACAS+ and Storm Control are available on the next screens Management IP list can be used to enter a list of IP addresses to limit the availability of switch Management 9.8 QoS Asante IntraCore IC3624/48 User’s Manual Asante IntraCore IC3624/48 User’s Manual Asante IntraCore IC3624/48 User’s Manual Asante IntraCore IC3624/48 9.9 SNMP SNMP Continued 9.10 LLDP Asante IntraCore IC3624/48 9.11 Admin - Admin Password Static addresses can be added using this screen Port Mirroring - To set up a mirror, identify the port to be mirrored by checking the ingress mirror, or egress mirror for the port. Next select the port to mirror the information to Asante IntraCore IC3624/48 User’s Manual Asante IntraCore IC3624/48 User’s Manual Asante IntraCore IC3624/48 User’s Manual Asante IntraCore IC3624/48 Cable diagnostic a cable test that can be run for each port Asante IntraCore IC3624/48 9.12 Statistics Asante IntraCore IC3624/48 User’s Manual Asante IntraCore IC3624/48 User’s Manual Asante IntraCore IC3624/48 9.13 Help General help is available for many screens 9.14 Logout Use this screen to logout and close the session Asante IntraCore IC3624/48 Command Prompt COMMAND Privileged Mode Chapter 10 CLI Commands10.2 User Mode commands Command Prompt Switch# Global Config Mode Format enable 10.3 Privileged Mode commands10.2.6 enable 10.3.2.2 clear config 10.3.2.5 clear static-mcast 10.3.2.10 configuration10.3.4.1 copy nvramconfig 10.3.2.6 clear pass 10.3.8 ping 2 show qos queue-settings1 show dot1x config 10.3.9 reload 10.3.11.3 show igmp snooping 2 show dot1x radius3 show dot1x statistics 1 show igmp snooping dynamicrouterport 10.3.11.7 show logging 10.3.11.13 show running-config4 show lldp msap-entry 2 show logging flash-log 2show snmp users 10.3.11.14 show snmp1 show snmp groups 3 show snmp communities 2 show switch age-time 10.3.11.19 show switch1 show switch admin-time 3 show switch mac-table 6 Show rmon history 10.4 Global Config mode commandsShow rmon event log 7Show rmon statistics 10.4.2.4 vlan port vlan port all port-configurevlan port ports port-configure 1 vlan port all 10.4.6.2 lldp disable 10.4.5.2 link aggregation delport This command remove ports from LAG10.4.6 LLDP 10.4.6.1 lldp enable 10.4.5 link-aggregation 10.4.7 Log 10.4.10 mgmt-accesslist commands 10.4.10.1 mgmt-accesslist ipaddr10.4.10.2 mgmt-accesslist enable 10.4.7.1 Log log-server 10.4.11.2 monitor disable 10.4.10.3 mgmt-accesslist disable10.4.11 monitor commands 10.4.11.1 monitor enable 10.4.12 dot1x commands 10.4.12.1 dot1x enable 10.4.14 port-all commands 10.4.14.1 port-all admin-mode 10.4.13.4 network dhcp-relay Configure switch dhcp relay functions10.4.13.6 network admin-timeout 10.4.13.2 network parms 2 port-all portsec-lockmode static 10.4.14.4 port-all portsec-lockmode Configure port security10.4.14.3 port-all flow-control 3 port-all portsec-lockmode dynamic 4 port-all storm-control broadcast-unknown 10.4.15 qos commands10.4.15.1 qos qos-advanced Configure qos advanced mode 5 port-all storm-control all-cast 2 set igmp disable 10.4.16 set commands 10.4.16.1 set IGMP1 set igmp enable 3 set igmp last-memberquery 10.4.17.2 snmp group 10.4.17 snmp commands 10.4.17.1 snmp notifysnmp trapstation add ip-addr community community name type bootup 1 snmp group add 1 sntp localtime enable 10.4.18 sntp commands 10.4.18.1 sntp daylight10.4.18.2 sntp localtime Configure the local time 2 sntp localtime localtimedate This command sets local time 3 spanning-tree forceversion none 10.4.110.2 spanning-tree configuration1 spanning-tree configuration name 10.4.110.3 spanning-tree forward-time 10.4.22.2 rmon alarm 10.4.20 User commands10.4.21 Interface commands 10.4.110.8 spanning-tree mst 2 access-list name WORD action permit 2 rmon del alarm10.4.23 access list commands 1 access-list name WORD clears SRC IP 10.4.23.6 access-list name WORD set 5 access-list name WORD clear mac SA7access-list name WORD clear VID 3 access-list name WORD set L4port 10.4.24 arp Commands access-list name WORD set l4port DST-port5 access-list name WORD set mac-mode 1 arp dynamic enables and disables 10.5.1 exit command 10.5 Interface Config mode commands10.4.25 dos Commands 10.5.2 dot1x command Set 802.1x port control 10.5.6.4 Configures which TLVs are enabled for transmission 10.5.6 lldp command10.5.6.3 Configure med notifications 10.5.6.1 lldp state set lldp status 10.5.11 port-security command 10.5.7 admin-mode10.5.10 flow-control command flow-control enable 10.5.12 qos command 10.5.17 spanning-tree command 10.5.17.1 spanning-tree cost 10.5.14.5 storm-control all-cast This command storm control limited10.5.15 rmon-counter command 10.5.14.4 storm-control broadcast-unknown 10.5.17.7 spanning-tree priority 1vlan participation exclude This command leave a vlan10.5.17.6 spanning-tree participation 2 vlan participation Possible Solutions Appendix A Basic TroubleshootingProblem Performance Specifications Appendix B SpecificationsStatus Indicators Management Specifications Package Content L2+ Management SpecificationsEnvironmental Specifications Warranty C.1 FCC Compliance Statement Appendix C FCC Compliance and Warranty StatementsC.2 Important Safety Instructions C.3 IntraCore Warranty Statement Default IndexConnecting Command host-query monitoring configurationbandwidth 57, 58, 59