Home » Dell Manuals » Hubs & Switches » Dell PowerSwitch S4112F-ON » Manual Viewer

Dell PowerSwitch S4112F-ON OS10 Enterprise Edition User Guide Release 10.4.1.0 - Page 594

Control-plane ACL qualifiers, IP fragment handling, Control-plane ACL

View all Dell PowerSwitch S4112F-ON manuals

Add to My Manuals
Save this manual to your list of manuals

Page 594 highlights

To configure control-plane ACLs, use the existing ACL template and create the appropriate rules to permit or deny traffic as needed, similar to creating an access list for VTY ACLs. However, when you apply this control-plane ACL, you must apply it in CONTROL-PLANE mode instead of VTY mode. For example: OS10# configure terminal OS10(config)# control-plane OS10(config-control-plane)# ip access-group acl_name in where acl_name is the name of the control-plane ACL, a maximum of 140 characters. NOTE: Apply control-plane ACLs on ingress traffic only. Control-plane ACL qualifiers This section lists the control-plane ACL rule qualifiers. • IPv4 qualifiers: - DST_IP-Destination IP address - SRC_IP-Source IP address - IP_TYPE-IP type - IP_PROTOCOL-Protocols such as TCP, UDP, and so on - L4_DST_PORT-Destination port number NOTE: The destination port number qualifier supports only the eq option. Port range is not supported. • IPv6 qualifiers: - DST_IPv6-Destination address - SRC_IPv6-Source address - IP_TYPE-IP Type; for example, IPv4 or IPv6 - IP_PROTOCOL-TCP, UDP, and so on - L4_DST_PORT-Destination port NOTE: The destination port number qualifier supports only the eq option. Port range is not supported. • MAC qualifiers: - OUT_PORT-Egress CPU port - SRC_MAC-Source MAC address - DST_MAC-Destination MAC address - ETHER_TYPE-Ethertype - OUTER_VLAN_ID-VLAN ID - IP_TYPE-IP type - OUTER_VLAN_PRI-DOT1P value IP fragment handling OS10 supports a configurable option to explicitly deny IP fragmented packets, particularly for the second and subsequent packets. This option extends the existing ACL command syntax with the fragments keyword for all Layer 3 (L3) rules: • Second and subsequent fragments are allowed because you cannot apply a L3 rule to these fragments. If the packet is to be denied eventually, the first fragment must be denied and the packet as a whole cannot be reassembled. • The system applies implicit permit for the second and subsequent fragment prior to the implicit deny. • If you configure an explicit deny, the second and subsequent fragments do not hit the implicit permit rule for fragments. 594 Access Control Lists

Section	Page
OS10 Enterprise Edition User Guide Release 10.4.1.0	3
Getting Started	22
Supported Hardware	22
Download OS10 image and license	23
Installation using ONIE	24
Automatic installation	25
Manual installation	26
Log into OS10	27
Install OS10 license	27
Zero-touch deployment	28
ZTD DHCP server configuration	30
ZTD provisioning script	31
ZTD CLI batch file	32
Post-ZTD script	32
ZTD commands	32
Remote access	34
Configure Management IP address	34
Management Route Configuration	35
Configure user name and password	35
Upgrade OS10	36
CLI Basics	36
User accounts	36
Key CLI features	37
CLI command modes	37
CLI command hierarchy	38
CLI command categories	38
CONFIGURATION Mode	38
Command help	38
Check device status	40
Candidate configuration	42
Change to transaction-based configuration	45
Copy running configuration	45
Restore startup configuration	46
Reload system image	46
Filter show commands	47
Alias command	47
Batch mode	51
Linux shell commands	52
SSH commands	52
OS9 environment commands	53
Common commands	53
alias	53
alias (multi-line)	55
batch	55
boot	56
commit	56
configure	56
copy	57
default (alias)	58
delete	58
description (alias)	59
dir	59
discard	60
do	60
feature config-os9-style	61
exit	61
license	61
line (alias)	62
lock	62
management route	63
move	63
no	64
reload	64
show alias	65
show boot	66
show candidate-configuration	66
show environment	68
show inventory	69
show ip management-route	69
show ipv6 management-route	70
show license status	70
show running-configuration	71
show startup-configuration	73
show system	74
show version	76
start	76
system	77
system identifier	77
terminal	77
traceroute	78
unlock	79
write	79
Interfaces	81
Ethernet interfaces	81
Unified port groups	81
L2 mode configuration	82
L3 mode configuration	83
Fibre Channel interfaces	83
Management interface	85
VLAN interfaces	85
User-configured default VLAN	86
VLAN scale profile	86
Loopback interfaces	87
Port-channel interfaces	87
Create port-channel	88
Add port member	88
Minimum links	89
Assign Port Channel IP Address	89
Remove or disable port-channel	89
Load balance traffic	90
Change hash algorithm	90
Configure interface ranges	90
Switch-port profiles	91
S4148-ON series port profiles	92
S4148U-ON port profiles	93
Configure breakout mode	94
Breakout auto-configuration	95
Forward error correction	96
Energy-efficient Ethernet	97
Enable energy-efficient Ethernet	97
Clear EEE counters	97
View EEE status/statistics	98
EEE commands	98
View interface configuration	101
Interface commands	104
channel-group	104
default vlan-id	105
description (Interface)	105
duplex	106
feature auto-breakout	106
fec	107
interface breakout	107
interface ethernet	108
interface loopback	108
interface mgmt	108
interface null	109
interface port-channel	109
interface range	110
interface vlan	110
link-bundle-utilization	111
mode	111
mode l3	112
mtu	112
port-group	113
scale-profile vlan	113
show discovered-expanders	114
show interface	114
show inventory media	115
show link-bundle-utilization	116
show port-channel summary	116
show port-group	117
show switch-operating-mode	118
show switch-port-profile	118
show unit-provision	118
show vlan	119
shutdown	119
speed (Fibre Channel)	119
speed (Management)	120
switch-port-profile	121
switchport access vlan	123
switchport mode	123
switchport trunk allowed vlan	124
unit-provision	124
Fibre Channel	125
Terminology	126
Virtual fabric	126
Fibre Channel zoning	129
F_Port on Ethernet	130
F_Port commands	131
fc alias	131
fc zone	131
fc zoneset	132
feature fc	132
member (alias)	132
member (zone)	133
member (zoneset)	133
show fc alias	134
show fc interface-area-id mapping	134
show fc ns switch	134
show fc zone	135
show fc zoneset	136
zone default-zone permit	137
zoneset activate	137
NPG commands	138
fc port-mode F	138
feature fc npg	138
show npg devices	139
F_Port and NPG commands	140
clear fc statistics	140
fcoe	140
name	141
show fc statistics	141
show fc switch	142
show running-config vfabric	142
show vfabric	143
vfabric	144
vfabric (interface)	144
vlan	144
FIP-snooping commands	145
feature fip-snooping	145
fip-snooping enable	145
fip-snooping fc-map	146
fip-snooping port-mode fcf	146
FCoE commands	146
clear fcoe database	146
clear fcoe statistics	147
fcoe max-sessions-per-enodemac	147
fcoe priority-bits	148
lldp tlv-select dcbxp-appln fcoe	148
show fcoe enode	148
show fcoe fcf	149
show fcoe sessions	149
show fcoe statistics	150
show fcoe system	150
show fcoe vlan	151
Layer 2	152
802.1X	152
Port authentication	153
EAP over RADIUS	154
Configure 802.1X	154
Enable 802.1X	155
Identity retransmissions	156
Failure quiet period	157
Port control mode	157
Reauthenticate port	158
Configure timeouts	159
802.1X commands	160
Link Aggregation Control Protocol	165
Modes	165
Configuration	165
Interfaces	166
Rates	166
Sample configuration	167
LACP fallback	170
LACP commands	173
Link Layer Discovery Protocol	180
Protocol data units	180
Optional TLVs	181
Organizationally-specific TLVs	182
Media endpoint discovery	183
Network connectivity device	183
LLDP-MED capabilities TLV	183
Network policies TLVs	184
Define network policies	185
Packet timer values	185
Disable and re-enable LLDP	186
Disable and re-enable LLDP on management ports	187
Advertise TLVs	187
Network policy advertisement	188
Fast start repeat count	188
View LLDP configuration	189
Adjacent agent advertisements	190
Time to live	191
LLDP commands	191
Media Access Control	203
Static MAC Address	203
MAC Address Table	204
Clear MAC Address Table	204
MAC Commands	205
Multiple Spanning-Tree Protocol	207
Configure MSTP	208
Create instances	208
Root selection	210
Non-Dell hardware	210
Region name or revision	210
Modify parameters	211
Interface parameters	212
Forward traffic	212
Spanning-tree extensions	213
MST commands	215
Rapid per-VLAN spanning-tree plus	224
Load balance and root selection	225
Enable RPVST+	225
Select root bridge	226
Root assignment	227
Loop guard	228
Global parameters	228
RPVST+ commands	229
Rapid Spanning-Tree Protocol	236
Enable globally	237
Global parameters	238
Interface parameters	239
Root bridge selection	240
EdgePort forward traffic	240
Spanning-tree extensions	241
RSTP commands	243
Virtual LANs	249
Default VLAN	249
Create or remove VLANs	249
Access mode	251
Trunk mode	251
Assign IP address	252
View VLAN configuration	253
VLAN commands	254
Port monitoring	255
Local port monitoring	256
Remote port monitoring	256
Encapsulated remote port monitoring	258
Flow-based monitoring	259
Remote port monitoring on VLT	260
Port monitoring commands	262
Layer 3	267
Virtual routing and forwarding	267
Configure management VRF	267
Configure non-default VRF instances	269
Sample VRF configuration	272
View VRF instance information	276
VRF commands	277
Bidirectional Forwarding Detection	282
BFD session states	283
BFD three-way handshake	284
BFD configuration	285
Configure BFD globally	285
BFD for BGP	286
BFD commands	290
Border Gateway Protocol	293
Sessions and peers	294
Route reflectors	295
Multiprotocol BGP	296
Attributes	296
Selection criteria	297
Weight and local preference	297
Multiexit discriminators	298
Origin	298
AS path and next-hop	299
Best path selection	299
More path support	300
Advertise cost	300
4-Byte AS numbers	301
AS number migration	301
Configure Border Gateway Protocol	302
Enable BGP	302
Configure Dual Stack	305
Peer templates	305
Neighbor fall-over	308
Configure password	310
Fast external fallover	311
Passive peering	313
Local AS	313
AS number limit	314
Redistribute routes	315
Additional paths	315
MED attributes	316
Local preference attribute	316
Weight attribute	317
Enable multipath	318
Route-map filters	318
Route reflector clusters	318
Aggregate routes	319
Confederations	320
Route dampening	321
Timers	322
Neighbor soft-reconfiguration	322
BGP commands	323
Equal cost multi-path	355
Load balancing	355
ECMP commands	356
IPv4 routing	358
Assign interface IP address	358
Configure static routing	359
Address Resolution Protocol	360
IPv4 routing commands	360
IPv6 routing	365
Enable or disable IPv6	365
IPv6 addresses	366
Stateless autoconfiguration	367
Neighbor Discovery	368
Duplicate address discovery	369
Static IPv6 routing	370
IPv6 destination unreachable	370
IPv6 hop-by-hop options	371
View IPv6 information	371
IPv6 commands	371
Internet Group Management Protocol	384
IGMP snooping	384
IGMP snooping commands	385
Multicast Listener Discovery Protocol	392
MLD snooping	393
MLD snooping commands	394
Open shortest path first	401
Autonomous system areas	401
Areas, networks, and neighbors	401
Router types	402
Designated and backup designated routers	403
Link-state advertisements	403
Router priority	404
Shortest path first throttling	405
OSPFv2	406
OSPFv3	437
Object tracking manager	457
Interface tracking	458
Host tracking	459
Set tracking delays	460
Object tracking	460
View tracked objects	460
OTM commands	461
Policy-based routing	464
Policy-based route-maps	464
Access-list to match route-map	464
Set address to match route-map	464
Assign route-map to interface	465
View PBR information	465
PBR commands	466
Virtual Router Redundancy Protocol	468
Configuration	469
Create virtual router	470
Group version	470
Virtual IP addresses	471
Configure virtual IP address	471
Set group priority	472
Authentication	473
Disable preempt	473
Advertisement interval	474
Interface/object tracking	475
Configure tracking	475
VRRP commands	476
UFT modes	482
Configure UFT modes	482
IPv6 extended prefix routes	483
UFT commands	484
hardware forwarding-table mode	484
hardware l3 ipv6-extended-prefix	484
show hardware forwarding-table mode	485
show hardware forwarding-table mode all	485
show hardware l3	485
System management	487
Dynamic Host Configuration Protocol	487
Packet format and options	487
DHCP server	489
Automatic address allocation	489
Hostname resolution	490
Manual binding entries	491
DHCP relay agent	492
View DHCP Information	493
System domain name and list	493
DHCP commands	494
DNS commands	500
IPv4 DHCP limitations	502
Network Time Protocol	503
Enable NTP	504
Broadcasts	504
Source IP address	505
Authentication	505
NTP commands	506
System clock	511
System Clock commands	511
System banners	513
Login banner	513
MOTD banner	513
System banner commands	514
User session management	515
User session management commands	515
Telnet server	516
Telnet commands	517
Security	518
User re-authentication	519
Password strength	519
Role-based access control	519
Assign user role	520
RADIUS authentication	520
TACACS+ authentication	521
TACACS+ unknown or missing user role	522
SSH server	522
Virtual terminal line	523
Enable AAA accounting	524
Enable user lockout	524
Limit concurrent login sessions	525
Enable login statistics	525
Security commands	526
Simple Network Management Protocol	543
SNMP commands	543
Uplink Failure Detection	546
Configure uplink failure detection	547
UFD commands	549
OS10 image upgrade	553
Boot system partition	554
Upgrade commands	555
OpenFlow	559
OpenFlow logical switch instance	560
OpenFlow controller	560
OpenFlow version 1.3	560
Ports	560
Flow table	561
Group table	561
Meter table	561
Instructions	561
Action set	562
Action types	562
Counters	563
OpenFlow protocol	564
OpenFlow use cases	578
Configure OpenFlow	578
Establish TLS connection	579
OpenFlow commands	580
controller	580
dpid-mac-address	581
in-band-mgmt	581
max-backoff	582
mode openflow-only	582
openflow	583
probe-interval	583
protocol-version	583
rate-limit packet_in	584
show openflow	585
show openflow flows	586
show openflow ports	586
show openflow switch	588
show openflow switch controllers	588
switch	589
OpenFlow-only mode commands	589

Match case Limit results 1 per page

conﬁgure

control-plane ACLs, use the existing ACL template and create the appropriate rules to permit or deny

traﬃc

as needed, similar

to creating an access list for VTY ACLs. However, when you apply this control-plane ACL, you must apply it in CONTROL-PLANE mode

instead of VTY mode. For example:

OS10# configure terminal

OS10(config)# control-plane

OS10(config-control-plane)# ip access-group

acl_name

where

acl_name

is the name of the control-plane ACL, a maximum of 140 characters.

NOTE:

Apply control-plane ACLs on ingress

traﬃc

only.

Control-plane ACL

qualiﬁers

This section lists the control-plane ACL rule

qualiﬁers.

•

IPv4

qualiﬁers:

–

DST_IP

—Destination IP address

–

SRC_IP

—Source IP address

–

IP_TYPE

—IP type

–

IP_PROTOCOL

—Protocols such as TCP, UDP, and so on

–

L4_DST_PORT

—Destination port number

NOTE:

The destination port number

qualiﬁer

supports only the

option. Port range is not supported.

•

IPv6

qualiﬁers:

–

DST_IPv6

—Destination address

–

SRC_IPv6

—Source address

–

IP_TYPE

—IP Type; for example, IPv4 or IPv6

–

IP_PROTOCOL

—TCP, UDP, and so on

–

L4_DST_PORT

—Destination port

NOTE:

The destination port number

qualiﬁer

supports only the

option. Port range is not supported.

•

MAC

qualiﬁers:

–

OUT_PORT

—Egress CPU port

–

SRC_MAC

—Source MAC address

–

DST_MAC

—Destination MAC address

–

ETHER_TYPE

—Ethertype

–

OUTER_VLAN_ID

—VLAN ID

–

IP_TYPE

—IP type

–

OUTER_VLAN_PRI

—DOT1P value

IP fragment handling

OS10 supports a

conﬁgurable

option to explicitly deny IP fragmented packets, particularly for the second and subsequent packets. This

option extends the existing ACL command syntax with the

fragments

keyword for all Layer 3 (L3) rules:

•

Second and subsequent fragments are allowed because you cannot apply a L3 rule to these fragments. If the packet is to be denied

eventually, the

ﬁrst

fragment must be denied and the packet as a whole cannot be reassembled.

•

The system applies implicit permit for the second and subsequent fragment prior to the implicit deny.

•

If you

conﬁgure

explicit

deny, the second and subsequent fragments do not hit the implicit permit rule for fragments.

594

Access Control Lists