SMC Networks 100BASE-TX, 16 10BASE-T Access Control Lists

Access Control Lists

3-53

3

Access Control Lists

Access Control Lists (ACL) provide packet filtering for IP fram es (based on address,

protocol, Layer 4 protocol port number or TCP control code) or any frames (based

on MAC address or Ethernet type). To filter incoming pa ckets, first create an access

list, add the required rules and then bind the list to a specific port.

Configuring Access Control Lists

An ACL is a sequential list of permit or deny conditions that apply to IP addresses,

MAC addresses, or other more specific criteria. This switch tests ingres s or egress

packets against the conditions in an ACL one by one. A packet will be accepted as

soon as it matches a permit rule, or dropped as soon as it matc hes a deny rule. If no

rules match for a list of all permit rules, the packet is dropped; and if no rules match

for a list of all deny rules, the packet is accepted.

Command Usage

The following restrictions apply to ACLs:

• Each ACL can have up to 32 rules.

• The maximum number of ACLs is 88.

• However, due to resour ce restrictions, the average number of rules bound to the

ports should not exceed 20.

• This switch supports ACL s for ingress filtering only. However, you can only bind

one IP ACL to any port and one MAC ACL globally for ingress filtering. In other

words, only two ACLs can be bound to an interface - Ingress IP ACL and Ingress

MAC ACL.

The order in which active ACLs are checked is as follows:

1.U ser-defined rules in the Ingress MAC ACL for ingress ports.

2.User-defined rules in the Ingress IP ACL for ingress ports.

3.Exp licit default rule (permit any any) in the ingress IP ACL for ingress ports.

4.Exp licit default rule (permit any any) in the ingress MAC ACL for ingress ports.

5.If no explicit rule is matched, the implicit default is permit all.

Contents

Main TigerSwitch 10/100 16-Port Fast Ethernet Switch Management Guide Page Page Page L W IMITED i ARRANTY ii Contents Page Page Page Page Page Page Page Page Page Tables Page Figures Page 1-1 Chapter 1: Introduction Key Features Table1-1. Key Features 1-2 Description of Software Features Description of Software Features 1-3 1-4 System Defaults 1-5 System Defaults 1-6 Table1-2. System Defaults (Continued) System Defaults 1-7 Table1-2. System Defaults (Continued) Page 2-1 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options 2-2 Required Connections 2-3 Remote Connections Basic Configuration Console Connection 2-4 Setting Passwords Setting an IP Address Manual Configuration 2-5 Dynamic Configuration 2-6 Enabling SNMP Management Access Community Strings 2-7 Trap Receivers Saving Configuration Settings 2-8 Managing System Files 3-1 Chapter 3: Configuring the Switch Using the Web Interface Navigating the Web Browser Interface Home Page Panel Display 3-3 Configuration Options Panel Display 3-4 Main Menu Main Menu 3-5 3-6 Main Menu 3-7 3-8 Basic Configuration Displaying System Information 3-9 Displaying Switch Hardware/Software Versions 3-10 3-11 Displaying Bridge Extension Capabilities 3-12 Setting the Switchs IP Address Page 3-14 Using DHCP/BOOTP 3-15 Managing Firmware Page 3-17 Saving or Restoring Configuration Settings 3-18 Downloading Configuration Settings from a Server 3-19 Console Port Settings 3-20 3-21 Telnet Settings 3-22 3-23 Configuring Event Logging System Log Configuration 3-24 3-25 Remote Logs Configuration 3-26 Displaying Log Messages 3-27 Resetting the System Setting the System Clock 3-28 Configuring SNTP Simple Network Management Protocol 3-29 Setting the Time Zone Simple Network Management Protocol 3-30 Setting Community Access Strings Simple Network Management Protocol 3-31 Specifying Trap Managers and Trap Types 3-32 User Authentication Configuring User Accounts Page 3-34 Configuring Local/Remote Logon Authentication 3-35 3-36 3-37 Configuring HTTPS 3-38 Replacing the Default Secure-site Certificate 3-39 Configuring the Secure Shell 3-40 3-41 Generating the Host Key Pair 3-42 3-43 Configuring the SSH Server 3-44 Configuring Port Security 3-45 3-46 Configuring 802.1x Port Authentication 3-47 Displaying 802.1x Global Settings 3-48 Configuring 802.1x Global Settings Configuring Port Settings for 802.1x 3-49 3-50 3-51 Displaying 802.1x Statistics 3-52 3-53 Access Control Lists Configuring Access Control Lists 3-54 Setting the ACL Name and Type 3-55 Configuring a Standard IP ACL 3-56 Configuring an Extended IP ACL 3-57 3-58 Configuring a MAC ACL 3-59 Binding a Port to an Access Control List 3-60 Filtering Addresses for Management Access Filtering Addresses for Management Access 3-61 3-62 Port Configuration Displaying Connection Status 3-63 3-64 Configuring Interface Connections 3-65 3-66 Creating Trunk Groups 3-67 Statically Configuring a Trunk } active links statically configured 3-68 Enabling LACP on Selected Ports } } 3-69 3-70 Configuring LACP Parameters Page 3-72 3-73 Displaying LACP Port Counters You can display statistics for LACP protocol messages. Figure 3-44. Displaying LACP Port Counters CLI The following example displays LACP counters. Table 3-6. LACP Statistics 3-74 Displaying LACP Settings and Status for the Local Side 3-75 3-76 Displaying LACP Settings and Status for the Remote Side 3-77 Setting Broadcast Storm Thresholds 3-78 3-79 Configuring Port Mirroring 3-80 Configuring Rate Limits Rate Limit Granularity 3-81 Rate Limit Configuration 3-82 Showing Port Statistics 3-83 Table 3-9. Port Statistics (Continued) 3-84 Table 3-9. Port Statistics (Continued) Page 3-86 Address Table Settings Setting Static Addresses Address Table Settings 3-87 Displaying the Address Table Page 3-89 Changing the Aging Time Spanning Tree Algorithm Configuration 3-90 Displaying Global Settings x x 3-91 3-92 3-93 Configuring Global Settings 3-94 3-95 3-96 Displaying Interface Settings x x 3-97 3-98 3-99 Configuring Interface Settings 3-100 3-101 VLAN Configuration IEEE 802.1Q VLANs Assigning Ports to VLANs 3-102 3-103 Forwarding Tagged/Untagged Frames 3-104 Enabling or Disabling GVRP (Global Setting) Displaying Basic VLAN Informati on 3-105 Displaying Current VLANs 3-106 3-107 Creating VLANs 3-108 Adding Static Members to VLANs (VLAN Index) 3-109 3-110 Adding Static Members to VLANs (Port Index) 3-111 Configuring VLAN Behavior for Interfaces 3-112 3-113 Private VLANs x Page 3-115 Configuring Private VLANs 3-116 Associating Community VLANs 3-117 Displaying Private VLAN Interface Information 3-118 Configuring Private VLAN Interfaces 3-119 3-120 Class of Service Configuration Layer 2 Queue Settings Setting the Default Priority for Interfaces 3-121 3-122 Mapping CoS Values to Egress Queues 3-123 Selecting the Queue Mode 3-124 Setting the Service Weight for Traffic Classes 3-125 3-126 Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values Selecting IP Precedence/DSCP Priority 3-127 Mapping IP Precedence 3-128 Mapping DSCP Priority 3-129 3-130 Mapping IP Port Priority 3-131 Mapping CoS Values to ACLs 3-132 Multicast Filtering 3-133 Layer 2 IGMP (Snooping and Query) Configuring IGMP Snooping and Query Parameters 3-134 3-135 Displaying Interfaces Attached to a Multicast Router 3-136 Specifying Static Interfaces for a Multicast Router 3-137 Displaying Port Members of Multicast Services 3-138 Assigning Ports to Multicast Services Page Page 4-1 Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection Telnet Connection 4-2 4-3 Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands The command show interfaces ? will display the following information: 4-5 Partial Keyword Lookup Negating the Effect of Commands Using Command History Understanding Command Modes 4-6 Exec Commands Configuration Commands 4-7 4-8 Command Line Processing Command Groups 4-9 Command Groups The system commands can be broken down into the fun ctional groups shown below Table4-4. Co mmand Groups 4-10 Line Commands line 4-11 login 4-12 password 4-13 timeout login response exec-timeout 4-14 password-thresh 4-15 silent-time databits 4-16 parity 4-17 speed stopbits 4-18 disconnect show line 4-19 General Commands enable 4-20 disable 4-21 configure show history 4-22 reload end 4-23 exit quit 4-24 System Management Commands Device Designation Commands prompt 4-25 hostname User Access Commands 4-26 username 4-27 enable password 4-28 IP Filter Commands management 4-29 show management 4-30 Web Server Commands ip http port ip http server 4-31 ip http secure-server 4-32 ip http secure-port 4-33 Telnet Server Commands ip telnet port ip telnet server 4-34 Secure Shell Commands 4-35 4-36 ip ssh server 4-37 ip ssh timeout ip ssh authentication-retries 4-38 ip ssh server-key size delete public-key 4-39 ip ssh crypto host-key generate ip ssh crypto zeroize 4-40 ip ssh save host-key show ip ssh 4-41 Example show ssh This command displays the current SSH server connections. Command Mode Privileged Exec Example Table4-16. show ssh - display description 4-42 show public-key 4-43 Event Logging Commands logging on 4-44 logging history 4-45 logging host logging facility 4-46 logging trap clear logging 4-47 show log 4-48 show logging 4-49 The following example displays settings for the trap function. Time Commands Table4-20. sho w logging trap - display description Table4-21. Time Commands 4-50 sntp client 4-51 sntp server sntp poll 4-52 show sntp clock timezone 4-53 calendar set show calendar 4-54 System Status Commands light unit 4-55 show startup-config 4-56 show running-config 4-57 Example Related Commands show startup-config (4-55) 4-58 show system show users 4-59 show version 4-60 Frame Size Commands jumbo frame 4-61 Flash/File Commands copy 4-62 4-63 The following example shows how to copy the running configuration to a startup file. The following example shows how to download a configuration file: 4-64 delete dir 4-65 whichboot 4-66 boot system 4-67 Authentication Commands Authentication Sequence authentication login 4-68 authentication enable 4-69 RADIUS Client radius-server host 4-70 radius-server port 4-71 radius-server key radius-server retransmit 4-72 radius-server timeout show radius-server 4-73 TACACS+ Client tacacs-server host tacacs-server port 4-74 tacacs-server key show tacacs-server 4-75 Port Security Commands port security 4-76 4-77 802.1x Port Authentication dot1x system-auth-control 4-78 dot1x default dot1x max-req 4-79 dot1x port-control dot1x operation-mode 4-80 dot1x re-authenticate dot1x re-authentication 4-81 dot1x timeout quiet-period dot1x timeout re-authperiod 4-82 dot1x timeout tx-period show dot1x 4-83 4-84 4-85 Access Control List Commands 4-86 IP ACLs access-list ip 4-87 permit, deny (Standard ACL) 4-88 permit, deny (Extended ACL) 4-89 4-90 show ip access-list ip access-group 4-91 show ip access-group map access-list ip 4-92 show map access-list ip 4-93 MAC ACLs access-list mac 4-94 permit, deny (MAC ACL) 4-95 show mac access-list mac access-group 4-96 show mac access-group map access-list mac 4-97 show map access-list mac 4-98 ACL Information show access-list show access-group 4-99 SNMP Commands snmp-server community 4-100 snmp-server contact snmp-server location 4-101 snmp-server host 4-102 snmp-server enable traps show snmp 4-103 4-104 Interface Commands interface 4-105 description speed-duplex 4-106 negotiation 4-107 capabilities 4-108 flowcontrol 4-109 shutdown 4-110 switchport broadcast packet-rate clear counters 4-111 show interfaces status 4-112 show interfaces counters 4-113 show interfaces switchport 4-114 Example This example shows the configuration setting for port 16. Table4-40. Inte rfaces Switchport Statistics Mirror Port Commands 4-115 Mirror Port Commands port monitor 4-116 show port monitor Rate Limit Commands 4-117 Rate Limit Commands rate-limit 4-118 rate-limit granularity show rate-limit 4-119 Link Aggregation Commands 4-120 channel-group 4-121 lacp 4-122 lacp system-priority 4-123 lacp admin-key (Ethernet Interface) 4-124 lacp admin-key (Port Channel) 4-125 lacp port-priority show lacp 4-126 4-127 Table4-45. show lacp internal - display description 4-128 Table4-46. sho w lacp neighbors - display description Address Table Commands 4-129 Address Table Commands Table4-47. sh ow lacp sysid - display description Table4-48. Addr ess Table Commands 4-130 mac-address-table static Address Table Commands 4-131 clear mac-address-table dynamic show mac-address-table 4-132 mac-address-table aging-time show mac-address-table aging-time 4-133 Spanning Tree Commands spanning-tree 4-134 spanning-tree mode 4-135 spanning-tree forward-time spanning-tree hello-time 4-136 spanning-tree max-age 4-137 spanning-tree priority spanning-tree pathcost method 4-138 spanning-tree transmission-limit spanning-tree cost 4-139 spanning-tree port-priority 4-140 spanning-tree edge-port 4-141 spanning-tree portfast spanning-tree link-type 4-142 spanning-tree protocol-migration 4-143 show spanning-tree 4-144 4-145 VLAN Commands Editing VLAN Groups vlan database 4-146 vlan 4-147 Configuring VLAN Interfaces interface vlan 4-148 switchport mode switchport acceptable-frame-types 4-149 switchport ingress-filtering 4-150 switchport native vlan 4-151 switchport allowed vlan 4-152 switchport forbidden vlan 4-153 Displaying VLAN Information show vlan 4-154 Configuring Private VLANs 4-155 private-vlan 4-156 private vlan association switchport mode private-vlan 4-157 switchport private-vlan host-association 4-158 switchport private-vlan ma pping show vlan private-vlan GVRP and Bridge Extension Commands 4-159 GVRP and Bridge Extension Commands bridge-ext gvrp 4-160 show bridge-ext switchport gvrp GVRP and Bridge Extension Commands 4-161 show gvrp configuration garp timer 4-162 show garp timer 4-163 Priority Commands Priority Commands (Layer 2) 4-164 queue mode queue bandwidth 4-165 switchport priority default 4-166 queue cos-map 4-167 show queue mode show queue bandwidth 4-168 show queue cos-map 4-169 Priority Commands (Layer 3 and 4) map ip port (Global Configuration) 4-170 map ip port (Interface Configuration) map ip precedence (Global Configuration) 4-171 map ip precedence (Interface Configuration) 4-172 map ip dscp (Global Configuration) map ip dscp (Interface Configuration) 4-173 show map ip port 4-174 show map ip precedence 4-175 show map ip dscp 4-176 Multicast Filtering Commands IGMP Snooping Commands 4-177 ip igmp snooping ip igmp snooping vlan static 4-178 ip igmp snooping version show ip igmp snooping 4-179 show mac-address-table multicast 4-180 IGMP Query Commands (Layer 2) ip igmp snooping querier ip igmp snooping query-count 4-181 ip igmp snooping query-interval 4-182 ip igmp snooping query-max-response-time ip igmp snooping router-port-expire-time 4-183 Static Multicast Routing Commands ip igmp snooping vlan mrouter 4-184 show ip igmp snooping mrouter 4-185 IP Interface Commands ip address 4-186 ip dhcp restart 4-187 ip default-gateway show ip interface 4-188 show ip redirects ping 4-189 Page A-1 Appendix A: Software Specifications Software Features Software Specifications A-2 A Management Features Standards Management Information Bases A-3 A Management Information Bases Page B-1 Appendix B: Troubleshooting Problems Accessing the Management Interface TableB-1. Troubleshooting Chart Troubleshooting B-2 B Using System Logs Glossary Page Page Page Page Page Index Index-1 Numerics A B Index-2 Index J L M Index-3 Index R S T U