Manuals / Intel / Computer Equipment / Switch

Intel IXM5414E manual Access Control List configuration example, Config acl create, 255

Models: IXM5414E

1 294

Download 294 pages 21.55 Kb

Page 265

Access Control List configuration example

This section provides sample CLI commands showing how to configure the Intel® Blade Server Ethernet Switch Module IXM5414E to support Access Control Lists (ACLs). ACLs offer one way of adding Quality of Service support to your network.

You define an ACL to control who can use your network or network resources by allowing or prohibiting access. The ACL specifies one or more match criteria that will be used to determine whether a given packet will be admitted to the network. The first match criteria met by a packet determines whether the packet is admitted. If the packet matches none of the criteria, it will be dropped.

An ACL consists of up to ten rules, each applied to one or more of the following fields:

•Source IP address

•Destination IP address

•Source Layer-4 port

•Destination Layer-4 port

•Type of Service byte

•Internet Protocol number

The script in the following example restricts access to the network to UDP and TCP traffic from a defined set of IP source addresses.

Create Access Control List 1.

config acl create 1

Create Rule 1 for ACL 1.

config acl rule create 1 1

Define the content of ACL 1 Rule 1. Packets will be accepted only if they are TCP packets from the source IP address set defined by the specified IP address and mask.

config acl rule action 1 1 permit

config acl rule match protocol keyword 1 1 tcp

config acl rule match dstip 1 1 192.168.50.0 255.255.255.0

Create Rule 2 for ACL 1.

config acl rule create 1 2

Define the content of ACL 1 Rule 2. Packets will be accepted only if they are UDP packets from the source IP address set defined by the specified IP address and mask. This is the same source IP address set defined for TCP traffic.

config acl rule action 1 2 permit

config acl rule match protocol keyword 1 2 udp

config acl rule match dstip 1 2 192.168.50.0 255.255.255.0

Apply ACL 1 to inbound traffic received on external ports 1-4. Packets that do not match the criteria specified in Rules 1 or 2 will be dropped.

config acl interface add ext.1 inbound 1

Intel® Blade Server Ethernet Switch Module IXM5414E

255

Image 265

Intel IXM5414E manual Access Control List configuration example, Config acl create, Config acl rule create 1, 255

Contents

C66107-004 Page Contents Page Safety To Disconnect To ConnectVii StatementViii XxCAUTION Page Page Related publications Major components of the IXM5414E switch module Performance features Specifications and featuresPorts Garp Gmrp Gvrp StandardsManagement Intel Blade Server Ethernet Switch Module IXM5414E Network Cable Support Ethernet interface requirements Module Bay Switch-module function Installation guidelinesSystem reliability considerations Handling static-sensitive devicesInstalling the IXM5414E switch module Sbce Intel Blade Server Ethernet Switch Module IXM5414E Removing the IXM5414E switch module Intel Blade Server Ethernet Switch Module IXM5414E Intel Blade Server Ethernet Switch Module IXM5414E LEDs Information panelIntel Blade Server Ethernet Switch Module IXM5414E Chassis configuration and operation Intel Blade Server Ethernet Switch Module IXM5414E overviewSwitch module management and control IP addresses and Snmp community names Module bay number Default IP addressTraps Management Information Bases MIB Authentication failurePort mirroring Topology change Spanning Tree Protocol STPAuthentication Switching conceptsSimple Network Management Protocol Snmp Packet forwardingSpanning Tree Protocol STP Ieee 802.1Q VLANs Virtual Local Area Networks VlanForwarding rules between ports Ieee 802.1Q Vlan packet forwardingIeee 802.1Q Tag Ieee 802.1Q Vlan tagsTagging and untagging Port Vlan IDEgress rules Static MAC filtering Ieee 802.1Q Vlan configurationGeneric Attribute Registration Protocol Garp Garp Vlan Registration Protocol Gvrp Group Service Requirements InformationGarp Multicast Registration Protocol Gmrp Group Membership InformationInternet Group Management Protocol Igmp snooping Distribution method Static LAGsDynamic Host Configuration Protocol Dhcp Authentication server AuthenticatorSecurity IeeeLocal authentication Radius authenticationSecure Shell SSH Secure Socket Layer SSL SSL Feature Component TypeBandwidth provisioning Quality of Service QoSBandwidth Allocation Profile Access Control Lists ACL Intel Blade Server Ethernet Switch Module IXM5414E Introduction Remotely managing the switch moduleGetting started Intel Blade Server Ethernet Switch Module IXM5414E QOS System Inventory information ARP cacheMAC Address System Description Maintenance LevelMachine Type Machine ModelSystem description ConfigurationOperating System Network Processing DeviceNetwork connectivity Network Configuration Protocol Default GatewayBurned In MAC Address Telnet Telnet Login Timeout minutesUser accounts Maximum Number of Telnet SessionsConfirm Password PasswordSnmp v3 Access Mode UserAuthentication Protocol Login configurationEncryption Protocol Encryption KeyLogin session ID of this row Login summaryConnection From Login Users User loginMethod List 802.1X Port Security UsersAuthentication is complete Forwarding database ConfigurationSearch Aging Interval secsLearned FilterMAC Address Search IfIndexMessage log LogsGmrp Learned OtherTime Event logDays, hours, minutes and seconds Entry PortFilename TaskIDProbe Flow Control Mode Admin ModeLacp Mode Physical ModeSummary Port Type STP ModeForwarding State Mirroring Control ModeLink Status Link TrapPort to be Mirrored Port Mirroring ModeCommunity Community configurationName Client IP Address Trap receiver configurationClient IP Mask Trap receiver summary Disable EnableSupported Management Information Bases MIB IP AddressStatistics Switch detailedDescription RFC title or MIB description Octets Received Packets Received Without ErrorUnicast Packets Received Multicast Packets ReceivedOctets Transmitted Packets Transmitted Without ErrorsUnicast Packets Transmitted Multicast Packets TransmittedTotal Packets Received Without Errors Switch summaryPackets Received With Error Port detailed Transmit Packet ErrorsAddress Entries Currently In Use Vlan Entries Currently In UsePackets Received 64 Octets Total Packets Received with MAC ErrorsPackets Received 65-127 Octets Packets Received 128-255 OctetsRx FCS Errors Alignment ErrorsJabbers Received Fragments/Undersize ReceivedTx FCS Errors Total Transmit ErrorsUnderrun Errors Packets Transmitted 1024-1518 OctetsSTP BPDUs Received Excessive Collision FramesSTP BPDUs Transmitted Rstp BPDUs ReceivedPort summary Collision Frames System utilities System resetSave all applied changes Reset passwords to defaults Reset configuration to defaultsDownload file to switch Tftp Server IP Address File TypeTftp File Path Tftp File NameUpload file from switch Ping Trap managerTrap flags PingTrap log AuthenticationLink Up/Down Multiple UsersSwitching Vlan Name Vlan ID and NameMulitcast Storm Control Mode Broadcast Storm Control ModeBroadcast Packets/Second Multicast Packets/SecondTagged All frames transmitted for this Vlan will be tagged StatusMulticast Storm Control Mode Port configurationPort Vlan ID Acceptable Frame TypesAll. The factory default is MAC filter configuration Reset configurationFilters Destination Port Mask MAC filter summarySwitch Gmrp Switch GvrpDestination Port Members 100 Switch configurationGmrp Mode Gvrp Mode101 102 Igmp snooping Configuration and statusGroup Membership Interval secs Max Response Time secs Less Than Group Membership Interval104 Interface configurationLAG Name Create Administrative ModeLAG Name 105Logical port identifier of the LAG, in the format lag.port Membership Conflicts106 Member Ports Mfdb table107 Component Gmrp tableType Forwarding Ports109 Igmp snooping tableSpanning tree Switch configuration/statusStats 110Spanning Tree Admin Mode Common Spanning Tree CST configuration/statusConfiguration Digest Key Force Protocol Version112 113 CST port configuration/status114 Statistics Class of serviceRstp BPDUs. Transmitted 115802.1p priority mapping Port access controlUser Priority Traffic Class117 Force Authorized Force UnauthorizedQuiet Period secs 118119 Port status120 Control Direction Authenticator PAE StateProtocol Version PAE Capabilities122 Backend StateKey Transmission Enabled Operating Control Mode123 124 125 LoginPort access summary Port access privileges126 127 Radius128 Server configuration129 Server statistics Radius statisticsInvalid Server Addresses 130131 132 Accounting server configurationAccounting Requests Accounting server statisticsAccounting Retransmissions Accounting ResponsesSecure Http TimeoutsClear statistics Malformed Accounting ResponsesTLS Version Https Admin ModeSSL Version Https PortSSH Version Secure ShellSSH Connections in Use 136QoS Access Control Lists137 Current Size/Max Size Direction138 ACL identifier Rule configuration139 Action Rule140 141 Source L4 Port Keyword Source L4 Port Number Bandwidth profile configurationDestination L4 Port Keyword Destination L4 Port Number 142Bandwidth Profile Bandwidth profile summaryMaximum Bandwidth 143Allocated Minimum Bandwidth Traffic class configuration144 Interface Weight145 Accept Byte Count Traffic class summary146 Interface allocation summary Logout147 148 149 Determining the software versionUpgrading the image using Telnet Upgrading the switch softwareUpgrading the MCU code using Telnet Obtaining the latest version151 Upgrading the image using web interfaceUpgrading the MCU code using web interface Resetting and restarting the switch module152 153 154 Command name Command Line Interface CLI conventionsFormat 155Values Parameters156 Special characters Comments157 Connecting to the IXM5414E switch module Remotely managing the IXM5414E switch moduleExecute the nth command in history buffer Str159 Changing configuration settingsInitial configuration IXM5414E switch module system commandsManaging user accounts 160Address Resolution Protocol ARP cache System commandsForwarding DB Show inventory Inventory information162 Logs Port commandsAcceptable values are Default disable Format164 Mirroring commands FlowControl Mode165 Simple Network Management Protocol Snmp Snmp community commands166 167 Format show snmpcommunity Snmp Community NameSnmp trap commands Status Status of this community. Either enable or disableFormat show snmptrap Snmp Trap Name 168Default 10.90.90.9x 255.255.255.0 Format System configurationFormat Config network protocol none/bootp/dhcp Values Network connectivityTelnet Format Show network IP Address170 User accounts Format show telnet Telnet Login Timeout minutes171 Default No authentication Format Format Config users passwd userDefault No encryption Format Use of zero instead of the letter OConfig prompt Login173 Config syslocation Config syscontactConfig sysname Show stats port detailedFragments/Undersized Received Total Packets Received Without Error175 176 BPDUs Received Total Transmit Packet DiscardedBPDUs Transmitted Gvrp PDUs Failed RegistrationsShow stats port summary Show stats switch detailed178 179 180 Show stats switch summarySystem utilities System utility commandsShow sysinfo 181182 Format logoutDefault code Format Transfer download commands183 Tftp Server IP Transfer upload commandsTftp Filename 184185 Trap manager Show traplog Switching configuration commands187 Generic Attribute Registration Protocol Garp commands Show garp info Config garp leavetimerShow garp interface 189Config igmpsnooping adminmode Igmp snooping commandsConfig igmpsnooping groupmembershipinterval Config igmpsnooping interfacemodeConfig igmpsnooping mcrtrexpiretime Link Aggregation LAG commandsConfig lag addport Config lag adminmodeConfig lag deletelag Config lag createConfig lag deleteport Config lag linktrapConfig macfilter adddest MAC filter commandsConfig macfilter create Config macfilter deldestShow macfilter Multicast Forwarding Database Mfdb commandsShow mfdb gmrp Show mfdb igmpsnoopingShow mfdb stats Show mfdb staticfilteringShow mfdb table 195Spanning tree bridge commands Spanning tree commandsSpanning tree Common Spanning Tree CST commands 198 Show spanningtree cst port detailed199 Show spanningtree cst port summarySpanning tree summary commands Spanning tree port commandsVirtual Local Area Network Vlan commands Config vlan participation Config vlan nameConfig vlan port acceptframe Config vlan port priorityShow vlan detailed Config vlan port tagging203 Show vlan summary Show vlan port204 Config classofservice 802.1pmapping Class of Service commandsShow classofservice 802.1pmapping Default = see table belowAuthentication commands Security configuration commandsIeee 802.1X commands Config dot1x defaultlogin Config dot1x adminmodeConfig dot1x login Config dot1x port controlmodeConfig dot1x port reauthenabled Config dot1x port quietperiodConfig dot1x port reauthenticate Config dot1x port reauthperiodConfig dot1x port users add Config dot1x port transmitperiodConfig dot1x port users remove Show dot1x port detailedFormat Show dot1x port stats port Port Show dot1x port stats211 Show dot1x port users Show dot1x port summaryShow dot1x summary 212Radius accounting commands Remote Authentication Dial-In User Service Radius commandsConfig radius maxretransmit Radius configuration / summary commandsShow radius accounting summary Clear radius statsShow radius stats Config radius timeoutShow radius summary 215Radius server commands Show radius server summary Server IP Address217 Secure Socket Layer SSL commands Secure Shell SSH commandsAccess Control List ACL commands Quality of Service QoS commandsConfig acl rule create Config acl rule actionConfig acl rule delete Config acl rule match dstipConfig acl rule match protocol keyword Config acl rule match everyConfig acl rule match protocol number Config acl rule match srcipShow acl detailed Config acl rule match srcl4port numberShow acl summary 222BW provisioning BW allocation commands Bandwidth provisioning commandsBW provisioning traffic class commands Show bwprovisioning trafficclass detailed Show bwprovisioning trafficclass allocatedbwShow bwprovisioning trafficclass summary 225226 227 Contact pin number Label Media direct interface signal228 Standard Data transmission rate Media type Maximum distance 229230 Bandwidth Provisioning 231Ieee Vlan Switching Remote Authentication Dial-in User Service232 Secure Shell233 HeadingIgmp Snooping Link Aggregation 234Spannng Tree Protocol STP 235 Telnet 236User Accounts Utilities237 238 239 Appendix D CLI Command Tree240 241 242 Spanningtree 243244 Show245 246 Transfer247 248 Config spanningtree bridge priority Bridging configuration example249 250 Config forwardingdb agetimeConfig spanningtree forceversion 802.1w Ieee 802.1w configuration exampleConfig spanningtree forceversion 802.1d 251Config vlan create Vlan configuration exampleConfig vlan port pvid 2 bay.3,bay.4 252253 Link aggregation configuration exampleConfig igmpsnooping adminmode enable Igmp snooping configuration exampleConfig igmpsnooping mcrtrexpiretime Show mfdb table allConfig acl create Access Control List configuration exampleConfig acl rule create 1 Config acl interface add ext.1 inbound256 Config acl interface add ext.4 inboundSpanning Tree Protocol STP operation Parameter Description Default value257 Creating a stable topology Variable Description Default value258 259 Ieee 802.1D STP port states260 Ieee 802.1w STP port statesPort state RoleForward Delay Setting user-changeable STP parametersFeature Default value 261262 Illustration of STP263 This example, only the default STP values are used264 Discarding state265 Learning state266 Forwarding state267 268 Disabled stateSpanning Tree Protocol Failure Troubleshooting STPFull/half duplex mismatch 269270 Unidirectional linkPacket corruption Resource errorsIdentifying a data loop 271272 Avoiding network problems273 274 275 Before you call276 277 Safety and regulatory informationElectrical Safety General Safety278 279 Handling electrostatic discharge-sensitive devicesSafety compliance Regulatory specifications and disclaimers280 Japan EMC Compatibility Electromagnetic compatibility EMC281 282 RRL Korea283 English translation of the previous noticeDevice User’s Information284