Access Control Lists ACL | Intel IXM5414E guide

Access Control Lists (ACL)

You use Access Control Lists (ACLs) to control the traffic entering or exiting a network, for example where two networks are connected, or an internal network is connected through a firewall router to the Internet. This allows you to ensure that only authorized users have access to specific resources while blocking off any unwarranted attempts to reach them.

You can use ACLs to:

•Provide traffic flow control

•Determine which types of traffic will be forwarded or blocked

•Provide network security

An ACL consists of one or more rules or filtering criteria. A packet is accepted or rejected based on whether or not it matches the criteria. After you create the set of rules for an ACL, you attach the ACL to an interface. Filtering is done on inbound traffic.

An ACL rule may apply to any one or more of the following fields:

•Source IP address

•Source Port (Layer 4)

•Destination IP

•Destination Port (Layer 4)

•IP Protocol Number

An ‘implicit deny’ rule is added to the end of every ACL. This means that if a packet does not match

any of the rules you have defined it will be dropped.

Intel® Blade Server Ethernet Switch Module IXM5414E

39

Image 49

Intel IXM5414E manual Access Control Lists ACL

Contents

C66107-004 Page Contents Page Safety To Disconnect To Connect Vii Statement Viii XxCAUTION Page Page Related publications Major components of the IXM5414E switch module Performance features Specifications and featuresPorts Garp Gmrp Gvrp Standards Management Intel Blade Server Ethernet Switch Module IXM5414E Network Cable Support Ethernet interface requirements Module Bay Switch-module function Installation guidelinesSystem reliability considerations Handling static-sensitive devices Installing the IXM5414E switch module Sbce Intel Blade Server Ethernet Switch Module IXM5414E Removing the IXM5414E switch module Intel Blade Server Ethernet Switch Module IXM5414E Intel Blade Server Ethernet Switch Module IXM5414E LEDs Information panel Intel Blade Server Ethernet Switch Module IXM5414E Chassis configuration and operation Intel Blade Server Ethernet Switch Module IXM5414E overview Switch module management and control IP addresses and Snmp community names Module bay number Default IP address Traps Management Information Bases MIB Authentication failurePort mirroring Topology change Spanning Tree Protocol STP Authentication Switching conceptsSimple Network Management Protocol Snmp Packet forwarding Spanning Tree Protocol STP Ieee 802.1Q VLANs Virtual Local Area Networks Vlan Forwarding rules between ports Ieee 802.1Q Vlan packet forwarding Ieee 802.1Q Tag Ieee 802.1Q Vlan tags Tagging and untagging Port Vlan IDEgress rules Static MAC filtering Ieee 802.1Q Vlan configurationGeneric Attribute Registration Protocol Garp Garp Vlan Registration Protocol Gvrp Group Service Requirements InformationGarp Multicast Registration Protocol Gmrp Group Membership Information Internet Group Management Protocol Igmp snooping Distribution method Static LAGs Dynamic Host Configuration Protocol Dhcp Authentication server AuthenticatorSecurity Ieee Local authentication Radius authenticationSecure Shell SSH Secure Socket Layer SSL SSL Feature Component Type Bandwidth provisioning Quality of Service QoSBandwidth Allocation Profile Access Control Lists ACL Intel Blade Server Ethernet Switch Module IXM5414E Introduction Remotely managing the switch module Getting started Intel Blade Server Ethernet Switch Module IXM5414E QOS System Inventory information ARP cacheMAC Address System Description Maintenance LevelMachine Type Machine Model System description ConfigurationOperating System Network Processing Device Network connectivity Network Configuration Protocol Default GatewayBurned In MAC Address Telnet Telnet Login Timeout minutesUser accounts Maximum Number of Telnet Sessions Confirm Password PasswordSnmp v3 Access Mode User Authentication Protocol Login configurationEncryption Protocol Encryption Key Login session ID of this row Login summaryConnection From Login Users User loginMethod List 802.1X Port Security Users Authentication is complete Forwarding database ConfigurationSearch Aging Interval secs Learned FilterMAC Address Search IfIndex Message log LogsGmrp Learned Other Time Event logDays, hours, minutes and seconds Entry PortFilename TaskID Probe Flow Control Mode Admin ModeLacp Mode Physical Mode Summary Port Type STP ModeForwarding State Mirroring Control ModeLink Status Link Trap Port to be Mirrored Port Mirroring Mode Community Community configurationName Client IP Address Trap receiver configurationClient IP Mask Trap receiver summary Disable EnableSupported Management Information Bases MIB IP Address Statistics Switch detailedDescription RFC title or MIB description Octets Received Packets Received Without ErrorUnicast Packets Received Multicast Packets Received Octets Transmitted Packets Transmitted Without ErrorsUnicast Packets Transmitted Multicast Packets Transmitted Total Packets Received Without Errors Switch summaryPackets Received With Error Port detailed Transmit Packet ErrorsAddress Entries Currently In Use Vlan Entries Currently In Use Packets Received 64 Octets Total Packets Received with MAC ErrorsPackets Received 65-127 Octets Packets Received 128-255 Octets Rx FCS Errors Alignment ErrorsJabbers Received Fragments/Undersize Received Tx FCS Errors Total Transmit ErrorsUnderrun Errors Packets Transmitted 1024-1518 Octets STP BPDUs Received Excessive Collision FramesSTP BPDUs Transmitted Rstp BPDUs Received Port summary Collision Frames System utilities System resetSave all applied changes Reset passwords to defaults Reset configuration to defaults Download file to switch Tftp Server IP Address File TypeTftp File Path Tftp File Name Upload file from switch Ping Trap managerTrap flags Ping Trap log AuthenticationLink Up/Down Multiple Users Switching Vlan Name Vlan ID and Name Mulitcast Storm Control Mode Broadcast Storm Control ModeBroadcast Packets/Second Multicast Packets/Second Tagged All frames transmitted for this Vlan will be tagged Status Multicast Storm Control Mode Port configurationPort Vlan ID Acceptable Frame Types All. The factory default is MAC filter configuration Reset configurationFilters Destination Port Mask MAC filter summary Switch Gmrp Switch GvrpDestination Port Members 100 Switch configuration Gmrp Mode Gvrp Mode101 102 Igmp snooping Configuration and statusGroup Membership Interval secs Max Response Time secs Less Than Group Membership Interval 104 Interface configuration LAG Name Create Administrative ModeLAG Name 105 Logical port identifier of the LAG, in the format lag.port Membership Conflicts106 Member Ports Mfdb table107 Component Gmrp tableType Forwarding Ports 109 Igmp snooping table Spanning tree Switch configuration/statusStats 110 Spanning Tree Admin Mode Common Spanning Tree CST configuration/statusConfiguration Digest Key Force Protocol Version 112 113 CST port configuration/status 114 Statistics Class of serviceRstp BPDUs. Transmitted 115 802.1p priority mapping Port access controlUser Priority Traffic Class 117 Force Authorized Force UnauthorizedQuiet Period secs 118 119 Port status 120 Control Direction Authenticator PAE StateProtocol Version PAE Capabilities 122 Backend State Key Transmission Enabled Operating Control Mode123 124 125 Login Port access summary Port access privileges126 127 Radius 128 Server configuration 129 Server statistics Radius statisticsInvalid Server Addresses 130 131 132 Accounting server configuration Accounting Requests Accounting server statisticsAccounting Retransmissions Accounting Responses Secure Http TimeoutsClear statistics Malformed Accounting Responses TLS Version Https Admin ModeSSL Version Https Port SSH Version Secure ShellSSH Connections in Use 136 QoS Access Control Lists137 Current Size/Max Size Direction138 ACL identifier Rule configuration139 Action Rule140 141 Source L4 Port Keyword Source L4 Port Number Bandwidth profile configurationDestination L4 Port Keyword Destination L4 Port Number 142 Bandwidth Profile Bandwidth profile summaryMaximum Bandwidth 143 Allocated Minimum Bandwidth Traffic class configuration144 Interface Weight145 Accept Byte Count Traffic class summary146 Interface allocation summary Logout147 148 149 Determining the software version Upgrading the image using Telnet Upgrading the switch softwareUpgrading the MCU code using Telnet Obtaining the latest version 151 Upgrading the image using web interface Upgrading the MCU code using web interface Resetting and restarting the switch module152 153 154 Command name Command Line Interface CLI conventionsFormat 155 Values Parameters156 Special characters Comments157 Connecting to the IXM5414E switch module Remotely managing the IXM5414E switch moduleExecute the nth command in history buffer Str 159 Changing configuration settings Initial configuration IXM5414E switch module system commandsManaging user accounts 160 Address Resolution Protocol ARP cache System commandsForwarding DB Show inventory Inventory information162 Logs Port commands Acceptable values are Default disable Format164 Mirroring commands FlowControl Mode165 Simple Network Management Protocol Snmp Snmp community commands166 167 Format show snmpcommunity Snmp Community Name Snmp trap commands Status Status of this community. Either enable or disableFormat show snmptrap Snmp Trap Name 168 Default 10.90.90.9x 255.255.255.0 Format System configurationFormat Config network protocol none/bootp/dhcp Values Network connectivity Telnet Format Show network IP Address170 User accounts Format show telnet Telnet Login Timeout minutes171 Default No authentication Format Format Config users passwd userDefault No encryption Format Use of zero instead of the letter O Config prompt Login173 Config syslocation Config syscontactConfig sysname Show stats port detailed Fragments/Undersized Received Total Packets Received Without Error175 176 BPDUs Received Total Transmit Packet DiscardedBPDUs Transmitted Gvrp PDUs Failed Registrations Show stats port summary Show stats switch detailed178 179 180 Show stats switch summary System utilities System utility commandsShow sysinfo 181 182 Format logout Default code Format Transfer download commands183 Tftp Server IP Transfer upload commandsTftp Filename 184 185 Trap manager Show traplog Switching configuration commands187 Generic Attribute Registration Protocol Garp commands Show garp info Config garp leavetimerShow garp interface 189 Config igmpsnooping adminmode Igmp snooping commandsConfig igmpsnooping groupmembershipinterval Config igmpsnooping interfacemode Config igmpsnooping mcrtrexpiretime Link Aggregation LAG commandsConfig lag addport Config lag adminmode Config lag deletelag Config lag createConfig lag deleteport Config lag linktrap Config macfilter adddest MAC filter commandsConfig macfilter create Config macfilter deldest Show macfilter Multicast Forwarding Database Mfdb commandsShow mfdb gmrp Show mfdb igmpsnooping Show mfdb stats Show mfdb staticfilteringShow mfdb table 195 Spanning tree bridge commands Spanning tree commands Spanning tree Common Spanning Tree CST commands 198 Show spanningtree cst port detailed 199 Show spanningtree cst port summary Spanning tree summary commands Spanning tree port commands Virtual Local Area Network Vlan commands Config vlan participation Config vlan nameConfig vlan port acceptframe Config vlan port priority Show vlan detailed Config vlan port tagging203 Show vlan summary Show vlan port204 Config classofservice 802.1pmapping Class of Service commandsShow classofservice 802.1pmapping Default = see table below Authentication commands Security configuration commands Ieee 802.1X commands Config dot1x defaultlogin Config dot1x adminmodeConfig dot1x login Config dot1x port controlmode Config dot1x port reauthenabled Config dot1x port quietperiodConfig dot1x port reauthenticate Config dot1x port reauthperiod Config dot1x port users add Config dot1x port transmitperiodConfig dot1x port users remove Show dot1x port detailed Format Show dot1x port stats port Port Show dot1x port stats211 Show dot1x port users Show dot1x port summaryShow dot1x summary 212 Radius accounting commands Remote Authentication Dial-In User Service Radius commands Config radius maxretransmit Radius configuration / summary commandsShow radius accounting summary Clear radius stats Show radius stats Config radius timeoutShow radius summary 215 Radius server commands Show radius server summary Server IP Address217 Secure Socket Layer SSL commands Secure Shell SSH commands Access Control List ACL commands Quality of Service QoS commands Config acl rule create Config acl rule actionConfig acl rule delete Config acl rule match dstip Config acl rule match protocol keyword Config acl rule match everyConfig acl rule match protocol number Config acl rule match srcip Show acl detailed Config acl rule match srcl4port numberShow acl summary 222 BW provisioning BW allocation commands Bandwidth provisioning commands BW provisioning traffic class commands Show bwprovisioning trafficclass detailed Show bwprovisioning trafficclass allocatedbwShow bwprovisioning trafficclass summary 225 226 227 Contact pin number Label Media direct interface signal 228 Standard Data transmission rate Media type Maximum distance 229 230 Bandwidth Provisioning 231Ieee Vlan Switching Remote Authentication Dial-in User Service232 Secure Shell 233 HeadingIgmp Snooping Link Aggregation 234Spannng Tree Protocol STP 235 Telnet 236User Accounts Utilities 237 238 239 Appendix D CLI Command Tree 240 241 242 Spanningtree 243 244 Show 245 246 Transfer 247 248 Config spanningtree bridge priority Bridging configuration example249 250 Config forwardingdb agetime Config spanningtree forceversion 802.1w Ieee 802.1w configuration exampleConfig spanningtree forceversion 802.1d 251 Config vlan create Vlan configuration exampleConfig vlan port pvid 2 bay.3,bay.4 252 253 Link aggregation configuration example Config igmpsnooping adminmode enable Igmp snooping configuration exampleConfig igmpsnooping mcrtrexpiretime Show mfdb table all Config acl create Access Control List configuration exampleConfig acl rule create 1 Config acl interface add ext.1 inbound 256 Config acl interface add ext.4 inbound Spanning Tree Protocol STP operation Parameter Description Default value257 Creating a stable topology Variable Description Default value258 259 Ieee 802.1D STP port states 260 Ieee 802.1w STP port statesPort state Role Forward Delay Setting user-changeable STP parametersFeature Default value 261 262 Illustration of STP 263 This example, only the default STP values are used 264 Discarding state 265 Learning state 266 Forwarding state 267 268 Disabled state Spanning Tree Protocol Failure Troubleshooting STPFull/half duplex mismatch 269 270 Unidirectional link Packet corruption Resource errorsIdentifying a data loop 271 272 Avoiding network problems 273 274 275 Before you call 276 277 Safety and regulatory information Electrical Safety General Safety278 279 Handling electrostatic discharge-sensitive devices Safety compliance Regulatory specifications and disclaimers280 Japan EMC Compatibility Electromagnetic compatibility EMC281 282 RRL Korea 283 English translation of the previous noticeDevice User’s Information 284