Home » Dell Manuals » Hubs & Switches » Dell PowerSwitch S4128F-ON » Manual Viewer

Dell PowerSwitch S4128F-ON OS10 Enterprise Edition User Guide Release 10.4.1.0 - Page 593

MAC ACLs, Control-plane ACLs

View all Dell PowerSwitch S4128F-ON manuals

Add to My Manuals
Save this manual to your list of manuals

Page 593 highlights

• Source and destination UDP port number For ACL, TCP, and UDP filters, match criteria on specific TCP or UDP ports. For ACL TCP filters, you can also match criteria on established TCP sessions. When creating an ACL, the sequence of the filters is important. You can assign sequence numbers to the filters as you enter them or OS10 can assign numbers in the order you create the filters. The sequence numbers display in the show running-configuration and show ip access-lists [in | out] command output. Ingress and egress hot-lock ACLs allow you to append or delete new rules into an existing ACL without disrupting traffic flow. Existing entries in the CAM shuffle to accommodate the new entries. Hot-lock ACLs are enabled by default and support ACLs on all platforms. NOTE: Hot-lock ACLs support ingress ACLs only. MAC ACLs MAC ACLs filter traffic on the Layer 2 (L2) header of a packet. This traffic filtering is based on: Source MAC packet MAC address range-address mask in 3x4 dotted hexadecimal notation, and any to denote that the rule matches address all source addresses. Destination MAC packet address MAC address range-address-mask in 3x4 dotted hexadecimal notation, and any to denote that the rule matches all destination addresses. Packet protocol Set by its EtherType field contents and Assigned protocol number for all protocols. VLAN ID Set in the packet header Class of service Present in the packet header IPv4/IPv6 and MAC ACLs apply separately for inbound and outbound packets. You can assign an interface to multiple ACLs, with a limit of one ACL per packet direction per ACL type. Control-plane ACLs OS10 offers control-plane ACLs to selectively restrict packets that are destined to the CPU port, thereby providing increased security. Control-plane ACLs offer: • An option to protect the CPU from denial of service (DoS) attacks. • Fine-grained control to allow or block traffic going to the CPU. Control-plane ACLs apply on the front-panel and management ports. Control-plane ACLs are one of the following types: • IP ACL • IPv6 ACL • MAC ACL There is no implicit deny rule. If none of the configured conditions match, the default behavior is to permit. If you need to deny traffic that does not match any of the configured conditions, explicitly configure a deny statement. The control-plane ACL is mutually exclusive with VTY ACL, the management ACL. VTY ACL provides secure access for session connection protocols, such as SSH or TELNET; however, control-plane ACLs permit or deny any TCP or UDP, including SSH and TELNET sessions, from specific hosts and networks, and also filters both IPv4 and IPv6 traffic. Configure control-plane ACL Access Control Lists 593

Section	Page
OS10 Enterprise Edition User Guide Release 10.4.1.0	3
Getting Started	22
Supported Hardware	22
Download OS10 image and license	23
Installation using ONIE	24
Automatic installation	25
Manual installation	26
Log into OS10	27
Install OS10 license	27
Zero-touch deployment	28
ZTD DHCP server configuration	30
ZTD provisioning script	31
ZTD CLI batch file	32
Post-ZTD script	32
ZTD commands	32
Remote access	34
Configure Management IP address	34
Management Route Configuration	35
Configure user name and password	35
Upgrade OS10	36
CLI Basics	36
User accounts	36
Key CLI features	37
CLI command modes	37
CLI command hierarchy	38
CLI command categories	38
CONFIGURATION Mode	38
Command help	38
Check device status	40
Candidate configuration	42
Change to transaction-based configuration	45
Copy running configuration	45
Restore startup configuration	46
Reload system image	46
Filter show commands	47
Alias command	47
Batch mode	51
Linux shell commands	52
SSH commands	52
OS9 environment commands	53
Common commands	53
alias	53
alias (multi-line)	55
batch	55
boot	56
commit	56
configure	56
copy	57
default (alias)	58
delete	58
description (alias)	59
dir	59
discard	60
do	60
feature config-os9-style	61
exit	61
license	61
line (alias)	62
lock	62
management route	63
move	63
no	64
reload	64
show alias	65
show boot	66
show candidate-configuration	66
show environment	68
show inventory	69
show ip management-route	69
show ipv6 management-route	70
show license status	70
show running-configuration	71
show startup-configuration	73
show system	74
show version	76
start	76
system	77
system identifier	77
terminal	77
traceroute	78
unlock	79
write	79
Interfaces	81
Ethernet interfaces	81
Unified port groups	81
L2 mode configuration	82
L3 mode configuration	83
Fibre Channel interfaces	83
Management interface	85
VLAN interfaces	85
User-configured default VLAN	86
VLAN scale profile	86
Loopback interfaces	87
Port-channel interfaces	87
Create port-channel	88
Add port member	88
Minimum links	89
Assign Port Channel IP Address	89
Remove or disable port-channel	89
Load balance traffic	90
Change hash algorithm	90
Configure interface ranges	90
Switch-port profiles	91
S4148-ON series port profiles	92
S4148U-ON port profiles	93
Configure breakout mode	94
Breakout auto-configuration	95
Forward error correction	96
Energy-efficient Ethernet	97
Enable energy-efficient Ethernet	97
Clear EEE counters	97
View EEE status/statistics	98
EEE commands	98
View interface configuration	101
Interface commands	104
channel-group	104
default vlan-id	105
description (Interface)	105
duplex	106
feature auto-breakout	106
fec	107
interface breakout	107
interface ethernet	108
interface loopback	108
interface mgmt	108
interface null	109
interface port-channel	109
interface range	110
interface vlan	110
link-bundle-utilization	111
mode	111
mode l3	112
mtu	112
port-group	113
scale-profile vlan	113
show discovered-expanders	114
show interface	114
show inventory media	115
show link-bundle-utilization	116
show port-channel summary	116
show port-group	117
show switch-operating-mode	118
show switch-port-profile	118
show unit-provision	118
show vlan	119
shutdown	119
speed (Fibre Channel)	119
speed (Management)	120
switch-port-profile	121
switchport access vlan	123
switchport mode	123
switchport trunk allowed vlan	124
unit-provision	124
Fibre Channel	125
Terminology	126
Virtual fabric	126
Fibre Channel zoning	129
F_Port on Ethernet	130
F_Port commands	131
fc alias	131
fc zone	131
fc zoneset	132
feature fc	132
member (alias)	132
member (zone)	133
member (zoneset)	133
show fc alias	134
show fc interface-area-id mapping	134
show fc ns switch	134
show fc zone	135
show fc zoneset	136
zone default-zone permit	137
zoneset activate	137
NPG commands	138
fc port-mode F	138
feature fc npg	138
show npg devices	139
F_Port and NPG commands	140
clear fc statistics	140
fcoe	140
name	141
show fc statistics	141
show fc switch	142
show running-config vfabric	142
show vfabric	143
vfabric	144
vfabric (interface)	144
vlan	144
FIP-snooping commands	145
feature fip-snooping	145
fip-snooping enable	145
fip-snooping fc-map	146
fip-snooping port-mode fcf	146
FCoE commands	146
clear fcoe database	146
clear fcoe statistics	147
fcoe max-sessions-per-enodemac	147
fcoe priority-bits	148
lldp tlv-select dcbxp-appln fcoe	148
show fcoe enode	148
show fcoe fcf	149
show fcoe sessions	149
show fcoe statistics	150
show fcoe system	150
show fcoe vlan	151
Layer 2	152
802.1X	152
Port authentication	153
EAP over RADIUS	154
Configure 802.1X	154
Enable 802.1X	155
Identity retransmissions	156
Failure quiet period	157
Port control mode	157
Reauthenticate port	158
Configure timeouts	159
802.1X commands	160
Link Aggregation Control Protocol	165
Modes	165
Configuration	165
Interfaces	166
Rates	166
Sample configuration	167
LACP fallback	170
LACP commands	173
Link Layer Discovery Protocol	180
Protocol data units	180
Optional TLVs	181
Organizationally-specific TLVs	182
Media endpoint discovery	183
Network connectivity device	183
LLDP-MED capabilities TLV	183
Network policies TLVs	184
Define network policies	185
Packet timer values	185
Disable and re-enable LLDP	186
Disable and re-enable LLDP on management ports	187
Advertise TLVs	187
Network policy advertisement	188
Fast start repeat count	188
View LLDP configuration	189
Adjacent agent advertisements	190
Time to live	191
LLDP commands	191
Media Access Control	203
Static MAC Address	203
MAC Address Table	204
Clear MAC Address Table	204
MAC Commands	205
Multiple Spanning-Tree Protocol	207
Configure MSTP	208
Create instances	208
Root selection	210
Non-Dell hardware	210
Region name or revision	210
Modify parameters	211
Interface parameters	212
Forward traffic	212
Spanning-tree extensions	213
MST commands	215
Rapid per-VLAN spanning-tree plus	224
Load balance and root selection	225
Enable RPVST+	225
Select root bridge	226
Root assignment	227
Loop guard	228
Global parameters	228
RPVST+ commands	229
Rapid Spanning-Tree Protocol	236
Enable globally	237
Global parameters	238
Interface parameters	239
Root bridge selection	240
EdgePort forward traffic	240
Spanning-tree extensions	241
RSTP commands	243
Virtual LANs	249
Default VLAN	249
Create or remove VLANs	249
Access mode	251
Trunk mode	251
Assign IP address	252
View VLAN configuration	253
VLAN commands	254
Port monitoring	255
Local port monitoring	256
Remote port monitoring	256
Encapsulated remote port monitoring	258
Flow-based monitoring	259
Remote port monitoring on VLT	260
Port monitoring commands	262
Layer 3	267
Virtual routing and forwarding	267
Configure management VRF	267
Configure non-default VRF instances	269
Sample VRF configuration	272
View VRF instance information	276
VRF commands	277
Bidirectional Forwarding Detection	282
BFD session states	283
BFD three-way handshake	284
BFD configuration	285
Configure BFD globally	285
BFD for BGP	286
BFD commands	290
Border Gateway Protocol	293
Sessions and peers	294
Route reflectors	295
Multiprotocol BGP	296
Attributes	296
Selection criteria	297
Weight and local preference	297
Multiexit discriminators	298
Origin	298
AS path and next-hop	299
Best path selection	299
More path support	300
Advertise cost	300
4-Byte AS numbers	301
AS number migration	301
Configure Border Gateway Protocol	302
Enable BGP	302
Configure Dual Stack	305
Peer templates	305
Neighbor fall-over	308
Configure password	310
Fast external fallover	311
Passive peering	313
Local AS	313
AS number limit	314
Redistribute routes	315
Additional paths	315
MED attributes	316
Local preference attribute	316
Weight attribute	317
Enable multipath	318
Route-map filters	318
Route reflector clusters	318
Aggregate routes	319
Confederations	320
Route dampening	321
Timers	322
Neighbor soft-reconfiguration	322
BGP commands	323
Equal cost multi-path	355
Load balancing	355
ECMP commands	356
IPv4 routing	358
Assign interface IP address	358
Configure static routing	359
Address Resolution Protocol	360
IPv4 routing commands	360
IPv6 routing	365
Enable or disable IPv6	365
IPv6 addresses	366
Stateless autoconfiguration	367
Neighbor Discovery	368
Duplicate address discovery	369
Static IPv6 routing	370
IPv6 destination unreachable	370
IPv6 hop-by-hop options	371
View IPv6 information	371
IPv6 commands	371
Internet Group Management Protocol	384
IGMP snooping	384
IGMP snooping commands	385
Multicast Listener Discovery Protocol	392
MLD snooping	393
MLD snooping commands	394
Open shortest path first	401
Autonomous system areas	401
Areas, networks, and neighbors	401
Router types	402
Designated and backup designated routers	403
Link-state advertisements	403
Router priority	404
Shortest path first throttling	405
OSPFv2	406
OSPFv3	437
Object tracking manager	457
Interface tracking	458
Host tracking	459
Set tracking delays	460
Object tracking	460
View tracked objects	460
OTM commands	461
Policy-based routing	464
Policy-based route-maps	464
Access-list to match route-map	464
Set address to match route-map	464
Assign route-map to interface	465
View PBR information	465
PBR commands	466
Virtual Router Redundancy Protocol	468
Configuration	469
Create virtual router	470
Group version	470
Virtual IP addresses	471
Configure virtual IP address	471
Set group priority	472
Authentication	473
Disable preempt	473
Advertisement interval	474
Interface/object tracking	475
Configure tracking	475
VRRP commands	476
UFT modes	482
Configure UFT modes	482
IPv6 extended prefix routes	483
UFT commands	484
hardware forwarding-table mode	484
hardware l3 ipv6-extended-prefix	484
show hardware forwarding-table mode	485
show hardware forwarding-table mode all	485
show hardware l3	485
System management	487
Dynamic Host Configuration Protocol	487
Packet format and options	487
DHCP server	489
Automatic address allocation	489
Hostname resolution	490
Manual binding entries	491
DHCP relay agent	492
View DHCP Information	493
System domain name and list	493
DHCP commands	494
DNS commands	500
IPv4 DHCP limitations	502
Network Time Protocol	503
Enable NTP	504
Broadcasts	504
Source IP address	505
Authentication	505
NTP commands	506
System clock	511
System Clock commands	511
System banners	513
Login banner	513
MOTD banner	513
System banner commands	514
User session management	515
User session management commands	515
Telnet server	516
Telnet commands	517
Security	518
User re-authentication	519
Password strength	519
Role-based access control	519
Assign user role	520
RADIUS authentication	520
TACACS+ authentication	521
TACACS+ unknown or missing user role	522
SSH server	522
Virtual terminal line	523
Enable AAA accounting	524
Enable user lockout	524
Limit concurrent login sessions	525
Enable login statistics	525
Security commands	526
Simple Network Management Protocol	543
SNMP commands	543
Uplink Failure Detection	546
Configure uplink failure detection	547
UFD commands	549
OS10 image upgrade	553
Boot system partition	554
Upgrade commands	555
OpenFlow	559
OpenFlow logical switch instance	560
OpenFlow controller	560
OpenFlow version 1.3	560
Ports	560
Flow table	561
Group table	561
Meter table	561
Instructions	561
Action set	562
Action types	562
Counters	563
OpenFlow protocol	564
OpenFlow use cases	578
Configure OpenFlow	578
Establish TLS connection	579
OpenFlow commands	580
controller	580
dpid-mac-address	581
in-band-mgmt	581
max-backoff	582
mode openflow-only	582
openflow	583
probe-interval	583
protocol-version	583
rate-limit packet_in	584
show openflow	585
show openflow flows	586
show openflow ports	586
show openflow switch	588
show openflow switch controllers	588
switch	589
OpenFlow-only mode commands	589

Match case Limit results 1 per page

•

Source and destination UDP port number

For ACL, TCP, and UDP

ﬁlters,

match criteria on

speciﬁc

TCP or UDP ports. For ACL TCP

ﬁlters,

you can also match criteria on established

TCP sessions.

When creating an ACL, the sequence of the

ﬁlters

is important. You can assign sequence numbers to the

ﬁlters

as you enter them or OS10

can assign numbers in the order you create the

ﬁlters.

The sequence numbers display in the

show running-configuration

and

show ip access-lists [in | out]

command output.

Ingress and egress hot-lock ACLs allow you to append or delete new rules into an existing ACL without disrupting

traﬃc

ﬂow.

Existing

entries in the CAM

shuﬄe

to accommodate the new entries. Hot-lock ACLs are enabled by default and support ACLs on all platforms.

NOTE:

Hot-lock ACLs support ingress ACLs only.

MAC ACLs

ﬁlter

traﬃc

on the Layer 2 (L2) header of a packet. This

traﬃc

ﬁltering

is based on:

Source MAC packet

address

MAC address range—address mask in 3x4 dotted hexadecimal notation, and

any

to denote that the rule matches

all source addresses.

Destination MAC

packet address

MAC address range—address-mask in 3x4 dotted hexadecimal notation, and

any

to denote that the rule matches

all destination addresses.

Packet protocol

Set by its

EtherType

ﬁeld

contents and Assigned protocol number for all protocols.

VLAN ID

Set in the packet header

Class of service

Present in the packet header

IPv4/IPv6 and MAC ACLs apply separately for inbound and outbound packets. You can assign an interface to multiple ACLs, with a limit of

one ACL per packet direction per ACL type.

Control-plane ACLs

OS10

oﬀers

control-plane ACLs to selectively restrict packets that are destined to the CPU port, thereby providing increased security.

Control-plane ACLs

oﬀer:

•

An option to protect the CPU from denial of service (DoS) attacks.

•

Fine-grained control to allow or block

traﬃc

going to the CPU.

Control-plane ACLs apply on the front-panel and management ports. Control-plane ACLs are one of the following types:

•

IP ACL

•

IPv6 ACL

•

MAC ACL

There is no implicit deny rule. If none of the

conﬁgured

conditions match, the default behavior is to permit. If you need to deny

traﬃc

that

does not match any of the

conﬁgured

conditions, explicitly

conﬁgure

a deny statement.

The control-plane ACL is mutually exclusive with VTY ACL, the management ACL. VTY ACL provides secure access for session connection

protocols, such as SSH or TELNET; however, control-plane ACLs permit or deny any TCP or UDP, including SSH and TELNET sessions,

from

speciﬁc

hosts and networks, and also

ﬁlters

both IPv4 and IPv6

traﬃc.

Conﬁgure

control-plane ACL

Access Control Lists

593