Home » Dell Manuals » Servers » Dell Force10 S2410-01-10GE-24P » Manual Viewer

Dell Force10 S2410-01-10GE-24P SFTOS Configuration Guide - Page 200

IP ACL Commands, Standard IP ACLs, Extended IP ACLs

View all Dell Force10 S2410-01-10GE-24P manuals

Add to My Manuals
Save this manual to your list of manuals

Page 200 highlights

www.dell.com | support.dell.com IP ACL Commands IP ACLs ensure that only authorized users have access to specific resources and block any unwarranted attempts to reach network resources. The following rules apply to IP ACLs: • SFTOS does not support IP ACL configuration for IP packet fragments. • The maximum number of ACLs you can create is 100, regardless of type. • The maximum number of rules per IP ACL is hardware dependent. • On S-Series systems, if you configure a MAC ACL (see MAC ACL Commands on page 198) on an interface, you cannot configure an IP ACL on the same interface. • Wildcard masking for ACLs operates differently from a subnet mask. A wildcard mask is in essence the inverse of a subnet mask. With a subnet mask, the mask has ones (1's) in the bit positions that are used for the network address, and has zeros (0's) for the bit positions that are not used. In contrast, a wildcard mask has (0's) in a bit position that must be checked. A '1' in a bit position of the ACL mask indicates the corresponding bit can be ignored. The access-list command creates an IP ACL that is identified by the parameter ACLnumber, rendered as 1-99 for a Standard IP ACL or 100-199 for an Extended IP ACL, as discussed next. Standard IP ACLs A Standard IP ACL uses a list number in the range of 1-99, matches source IP address, then takes the action of assigning the packet to a queue and/or redirecting the packet to a destination port. access-list 1-99 {deny | permit} {every | srcip srcmask} [log] [assign-queue queue-id] [{mirror | redirect} unit/slot/port] Extended IP ACLs An extended IP ACL uses a list number in the range of 100-199, matches protocol type, then matches source and/or destination ip address/port, additionally matches ip-precedence, tos, dscp, then takes the action of assigning the packet to a queue and/or redirecting the packet to a destination port. The command has the general form: access-list 100-199 {deny | permit} {every | icmp | igmp | ip | tcp | udp | protocol_number} {any | srcip srcmask} {any | eq {portkey | 0-65535}{any | dstip dstmask} [eq {portkey | 0-65535}] [precedence precedence | tos tos tosmask | dscp dscp] [log] [assign-queue queue-id] [{mirror | redirect} unit/slot/port] Figure 13-159. Using the access-list Command for an Extended IP ACL Rule Force10 (Config)#access-list 100 permit ip any eq 80 any assign-queue 2 redirect 1/0/40 Force10 (Config)# Note: In both versions of the access-list command, above, srcmask is an inverse mask. Note: You cannot edit a rule once it is created, you must delete the list and create one as desired. 200 | Access Control

Section	Page
New Features	3
Other Changes to the Document	3
About this Guide	15
Objectives	15
Audience	16
Introduction to the Guide	16
Conventions	16
Related Dell Force10 Documents and Additional Information	16
Contact Information	17
Documentation Feedback	17
Technical Support	17
The iSupport Website	17
Accessing iSupport Services	18
Contacting the Technical Assistance Center	18
SFTOS Features	19
Overview of SFTOS Features	19
Layer 2 Package Feature Details	20
Basic Routing and Switching Support	20
QoS	21
VLAN	21
Multicast Protocols	21
Security and Packet Control Features	21
Management	21
Stacking	22
Layer 3 Package Feature Details	22
Extended Routing and Switching Support	22
Routing Protocol Support	22
Multicast Protocols	23
Management	23
Load Balancing	24
Notable Differences between S-Series and E-Series	24
Port Naming Convention	26
Getting Started	27
Setting up a Management Connection to the Switch	28
Connecting to the Console Port	29
Command Line Interface (CLI) Overview	31
CLI Command Modes	31
Getting Help From the CLI	32
Controlling Pagination	32
Checking Status	32
Viewing the Software Version and Switch Numbers	32
Verifying Details about the Switch	32
Showing Network Settings	34
Displaying Supported Features and System Up-time	34
Displaying Statistics	36
User Management	36
Creating a User and Password	36
Showing and Removing Created Users	37
Setting SNMP Read/Write Access	37
Setting the Enable Password	38
Enabling Interfaces	38
Enabling Ports	38
Setting the Management IP Address	39
Enabling Telnet to the Switch	39
Configuring an Interface with an IP Address	40
Using the Show IP Interface Command	40
Setting up SNMP Management	41
Creating VLANS	41
Important Points to Remember — VLANs	41
Setting Up the Management VLAN	42
Creating a VLAN	42
Enabling Spanning Tree Protocol	42
Managing Configuration and Software Files	43
Important Points to Remember — Files	44
Downloading and Uploading Files	44
Points to Remember when Transferring Files	45
Downloading a Software Image	45
Using Xmodem to Download Software	46
Using TFTP to Download Software	47
Saving the Running Configuration	49
Installing System Software	50
Managing SFTOS Software with SFTOS Version 2.5.1	50
Managing the Configuration	56
Clearing the Running Configuration	57
Saving the Startup Configuration to the Network	57
Configuring from the Network	58
Restoring the System to the Factory Default Configuration	58
Resetting the Pre-configured System	59
Using Configuration Scripts	60
Creating a Configuration Script	60
Viewing a Configuration Script File	60
Uploading a Configuration Script to a TFTP Server	61
Deleting a Script	61
Downloading a Configuration Script from a TFTP Server	62
Troubleshooting a Downloaded Script	62
Applying a Configuration Script	63
Listing Configuration Scripts	64
Displaying Logs	65
Management	67
Creating the Management IP Address	67
Changing the Management VLAN from the Default	68
Verifying Access to a Management Port	69
Verifying Management Port Connectivity	69
Setting Stack Management Preferences	69
Setting the Host Name Prompt	70
Restoring the Configuration to Factory Defaults	70
Setting up SNMP Management	71
Managing SNMP Traps	73
router BGP config mode	74
Link Layer Discovery Protocol (LLDP)	75
Setting up Remote Network Monitoring (RMON)	75
Important Points to Remember	76
RMON Command Set	76
Configuring RMON Alarms	76
Example of configuring an RMON alarm	78
Setting the System Date and Time	78
Setting the System Date and Time Manually	78
SNTP Overview	79
CLI Examples of SNTP Setup	80
Example #1: Configuring SNTP client mode	80
Example #2: Configuring SNTP client port	80
Example #3: Configuring SNTP server	80
Example #4: show sntp client	80
Example #5: show sntp server	81
Gathering Details about the Switch	81
Stacking S-Series Switches	83
S-Series Stackability Features	83
Important Points to Remember	83
Stacking Commands Overview	85
Management Unit Selection Algorithm	85
Unit Number Assignment	86
Stack Management and Functionality	86
Adding a Switch to a Stack	89
Best Practices	89
Removing a Switch from a Stack	90
Setting Management Unit Preferences	91
Inspecting Management Preferences	93
Hardware Management Preference	93
Administrative Management Preference	94
Unsetting Management Preference	94
Management Preference and MAC Address	94
Upgrading Software in a Stack	94
Copying SFTOS Software to a Member Switch	95
Configuration example: Upgrading software on a new member switch	95
Using show Commands for Stacking Information	98
System Logs	101
Logging Commands	101
Configuring the System Log	102
Displaying the System Log	103
Interpreting system log messages	104
Using the Persistent Event Log	105
Displaying the SNMP Trap Log	106
Configuring Syslog Server Host Connections	107
Configure a syslog server	108
Configuring Interfaces	111
Interface Support in SFTOS	111
Viewing Interface Information	112
Viewing Layer 3 Interface Information	117
Configuring Physical Interfaces	117
Enabling an Interface	120
Configuring Speed and Duplex Mode	120
Configuring Layer 3 Mode	122
Clearing Interface Counters	122
Enabling Power over Ethernet Ports (PoE)	123
Bulk Configuration	126
Using Interface Range Mode	126
Bulk Configuration Examples	127
Configure a single range	127
Configure multiple ranges	127
DHCP	129
DHCP Commands	129
Protocol Overview	129
Configuring the Switch as a DHCP Server	130
Important Points to Remember	130
Configuration Task List	130
Configuring a DHCP address pool (required)	131
Excluding IP addresses (optional)	131
Enabling the SFTOS DHCP Server feature (required)	131
Verifying the DHCP Server Configuration	131
Using the Switch as a BootP/DHCP Relay Agent	132
DHCP Relay Agent Overview	132
Configuring the Switch as a DHCP Relay Agent	133
Verifying the DHCP Relay Agent Configuration	133
Configuration Example — DHCP Server and Relay Agent	133
Providing User Access Security	135
Choosing a TACACS+ Server and Authentication Method	135
Configuring TACACS+ Server Connection Options	137
Configuring a RADIUS Connection	138
Using the CLI to Configure Access through RADIUS	138
Enabling Secure Management with SSH	140
Enabling SSH	142
Spanning Tree	145
SFTOS STP Switching Features	145
Forwarding, Aging, and Learning	145
Spanning Tree Protocol (STP, IEEE 802.1D)	146
Basic STP (802.1D) CLI Management	146
Basic STP CLI Port Management	147
Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w)	147
RSTP Implementation	147
Port Roles	147
Port States	148
Port Costs	148
BPDU Format	148
Convergence with RSTP	148
Multiple Spanning-Tree Protocol (MSTP, IEEE 802.1s)	148
Important Points to Remember	149
MST Regions	149
MST Interactions	149
MSTP Standards	149
MSTP CLI Management	150
Spanning Tree Configuration Tasks	150
Setting the STP Version Parameter	151
Enabling STP	152
Example of configuring STP	152
Influencing the Spanning Tree Topology	153
Example of influencing the spanning tree configuration	154
Changing Spanning Tree Global Parameters	155
Enabling an Edge Port	156
MSTP Configuration Example	156
Display Spanning Tree Configuration	157
Displaying STP, MSTP, and RSTP Operation	163
Link Aggregation	165
Link Aggregation—IEEE 802.3	165
LAG Load Distribution	166
LAG Implementation Restrictions	167
Link Aggregation—MIB Support	167
Static LAG Requirements	167
Link Aggregation Group (LAG) Commands	168
Privileged Exec and User Exec mode commands	168
Global Config mode commands	168
Interface Port Channel Config mode commands	168
Interface Config mode commands	170
Static LAG CLI Management	170
Configuring a LAG	170
LAG Configuration Examples	171
Basic LAG configuration example	172
Adding a LAG to a VLAN	173
Using the Interface Range mode	174
Link Aggregation Control Protocol (LACP)	174
LACP Configuration	175
LACP configuration example	175
Displaying LAGs (Port Channels)	176
Quality of Service	177
Using Differentiated Services (DiffServ)	177
Deploying DiffServ	180
Creating Class-maps/DiffServ Classes	180
Creating a Policy-Map	182
Applying Policies	183
Enabling Differentiated Services	184
Monitoring DiffServ	184
Using the show class-map Command	184
show class-map	185
Using the show diffserv Command	186
Using the “show policy-map” Command	187
Using the show service-policy Command	190
Configuring Differentiated Services by Department	191
Configuring Differentiated Services for Voice over IP	194
Access Control	197
SFTOS Support for Access Control Lists	197
Common ACL Commands	198
MAC ACL Commands	198
IP ACL Commands	200
Standard IP ACLs	200
Extended IP ACLs	200
Protecting the Management Interface with a Loopback ACL	201
Access Control List Configuration Example	202
Applying an IP ACL to the Loopback Interface	203
Restrictions on the usage of loopback interface ACL	204
Example of loopback interface configuration sequence	204
Enabling Broadcast Storm Control	205
VLANs	207
Introduction to VLAN Configuration	207
Important Points to Remember	208
Implementing VLANs	209
Forwarding Rules	209
Egress Rules	209
Exempt Frames	209
VLAN Mode Commands	210
Configuration Task List for VLANs	211
Creating a VLAN and Adding Ports	211
Example of creating a VLAN and assigning interfaces	212
Assign an interface to multiple VLANs	213
Clearing/Resetting a VLAN	214
Adding a LAG to a VLAN	215
Example of adding a LAG to a VLAN	216
Creating a Routed VLAN	217
Example of creating a routed VLAN on one switch	217
GARP and GVRP	218
GARP VLAN Registration Protocol (GVRP)	219
GARP Timers	219
GARP Commands	220
Using GVRP	220
Enabling Dynamic VLANs with GVRP	220
Example of Creating a Dynamic VLAN through GVRP	221
Displaying GARP, GVRP, GMRP Properties	222
show garp and show gvrp configuration all commands	222
Creating an IP Subnet-based VLAN	223
Configuring a Private Edge VLAN (PVLAN)	223
Configuring a Native VLAN	224
Example of configuring a native VLAN	227
Configuring a VLAN Tunnel (DVLAN or VLAN-Stack)	229
DVLAN Tagging Considerations	229
DVLAN Configuration Sequence	229
DVLAN configuration example	231
Displaying VLAN Information	233
IGMP Snooping	237
Enabling IGMP Snooping	237
Monitoring IGMP Snooping	238
Port Mirroring	241
Port Mirroring Features	241
Port Mirroring Commands	242
Port Mirroring Configuration Examples	242
Preparing to Configure Port Mirroring	242
Configuring the mirrored port and destination port	243
Starting a mirroring session	243
Stopping the mirroring session and removing probe and mirrored ports	244
Verifying Port Mirroring	244
Verifying port mirroring session status	244
Using other commands that show port mirroring status	245
Layer 3 Routing	247
Enabling Routing	248
Port Routing Configuration Example	250
IGMP Proxy	251
IGMP Proxy Configuration	252
IGMP Proxy configuration example	252
Verifying the configuration	254
RIP Configuration	255
RIP Configuration Example	256
OSPF Configuration	257
OSPF Configuration Examples	257
Configuring OSPF on an S-Series operating as an inter-area router	257
Configuring OSPF on an S-Series operating as a border router	260
VLAN Routing	262
VLAN IP Commands	262
VLAN Routing Configuration	263
Example of creating a routed VLAN between switches	263
VLAN Routing OSPF Configuration	264
VLAN Routing RIP Configuration	267
Link Aggregation	269
Link Aggregation Layer 3 Configuration	269
Virtual Router Redundancy Protocol	271
Configuring VRRP: Master Router (Router 1)	272
Configuring VRRP: Backup Router (Router 2)	273
Troubleshooting	275
Recovering from Flash File System Corruption	275
Recovering from a Software Upgrade Failure	276
Recovering from a Lost Password	277
Recovering from Switch Stack Problems	277
Preventing Auto-negotiation Mismatches	278
Monitoring SFPs	280
Monitoring 10 GE Interfaces	281
Monitoring CPU and Memory Utilization	281
Software Forwarding	281
Troubleshooting No Output on the Console	282
RFCs, MIBs, and Traps	285
IEEE Compliance	285
RFC Compliance	286
General Switching Protocols	286
IP Multicast (in Layer 3 Package only)	286
Management	287
OSPF (in Layer 3 Package only)	287
QoS	288
RIP (in Layer 3 Package only)	288
RMON	288
Routing (in Layer 3 Package only)	288
Security	289
SNMP-related RFCs	289
MIBs	290
Industry MIBs Supported by SFTOS	290
Force 10 MIBs	291
SNMP Traps	293

Match case Limit results 1 per page

200

Access Control

www.dell.com | support.dell.com

IP ACL Commands

IP ACLs ensure that only authorized users have access to specific resources and block any unwarranted

attempts to reach network resources.

The following rules apply to IP ACLs:

•

SFTOS does not support IP ACL configuration for IP packet fragments.

•

The maximum number of ACLs you can create is 100, regardless of type.

•

The maximum number of rules per IP ACL is hardware dependent.

•

On S-Series systems, if you configure a MAC ACL (see

MAC ACL Commands on page 198

) on an

interface, you cannot configure an IP ACL on the same interface.

•

Wildcard masking for ACLs operates differently from a subnet mask. A wildcard mask is in essence

the inverse of a subnet mask. With a subnet mask, the mask has ones (1's) in the bit positions that are

used for the network address, and has zeros (0's) for the bit positions that are not used. In contrast, a

wildcard mask has (0’s) in a bit position that must be checked. A ‘1’ in a bit position of the ACL mask

indicates the corresponding bit can be ignored.

The

access-list

command creates an IP ACL that is identified by the parameter ACL

number

, rendered as

1-99

for a Standard IP ACL or

100-199

for an Extended IP ACL, as discussed next.

Standard IP ACLs

A Standard IP ACL uses a list number in the range of 1-99, matches source IP address, then takes the

action of assigning the packet to a queue and/or redirecting the packet to a destination port.

access-list

1-99

{

deny

permit

} {

every

srcip

srcmask

} [

log

] [

assign-queue

queue-id

] [{

mirror

redirect

}

unit/slot/port

]

Extended IP ACLs

An extended IP ACL uses a list number in the range of 100-199, matches protocol type, then matches

source and/or destination ip address/port, additionally matches ip-precedence, tos, dscp, then takes the

action of assigning the packet to a queue and/or redirecting the packet to a destination port. The command

has the general form:

access-list

100-199

{

deny

permit

} {

every

icmp

igmp

tcp

udp

protocol_number

} {

any

srcip

srcmask

} {

any

{

portkey

0-65535

}{

any

dstip

dstmask

} [

{

portkey

0-65535

}] [

precedence

tos

tosmask

dscp

] [

log

] [

assign-queue

queue-id

] [{

mirror

redirect

}

unit/slot/port

]

Figure 13-159.

Using the access-list Command for an Extended IP ACL Rule

Note:

In both versions of the access-list command, above,

srcmask

is an inverse mask.

Note:

You cannot edit a rule once it is created, you must delete the list and create one as desired.

Force10 (Config)#access-list 100 permit ip any eq 80 any assign-queue 2 redirect 1/0/40

Force10 (Config)#