Home » Dell Manuals » Hubs & Switches » Dell S5148F-ON » Manual Viewer

Dell S5148F-ON OS10 Enterprise Edition User Guide Release 10.3.2E-R2 - Page 373

MAC ACLs, IP fragment handling, IP fragments ACL

Add to My Manuals
Save this manual to your list of manuals

Page 373 highlights

• Source and destination TCP port number • Source and destination UDP port number For ACL, TCP, and UDP filters, match criteria on specific TCP or UDP ports. For ACL TCP filters, you can also match criteria on established TCP sessions. When creating an ACL, the sequence of the filters is important. You can assign sequence numbers to the filters as you enter them or OS10 can assign numbers in the order you create the filters. The sequence numbers display in the show running-configuration and show ip access-lists [in | out] command output. Ingress and egress hot-lock ACLs allow you to append or delete new rules into an existing ACL without disrupting traffic flow. Existing entries in the CAM shuffle to accommodate the new entries. Hot-lock ACLs are enabled by default and support ACLs on all platforms. NOTE: Hot-lock ACLs support ingress ACLs only. MAC ACLs MAC ACLs filter traffic on the Layer 2 (L2) header of a packet. This traffic filtering is based on: Source MAC packet MAC address range-address mask in 3x4 dotted hexadecimal notation, and any to denote that the rule matches address all source addresses. Destination MAC packet address MAC address range-address-mask in 3x4 dotted hexadecimal notation, and any to denote that the rule matches all destination addresses. Packet protocol Set by its EtherType field contents and Assigned protocol number for all protocols. VLAN ID Set in the packet header Class of service Present in the packet header IPv4/IPv6 and MAC ACLs apply separately for inbound and outbound packets. You can assign an interface to multiple ACLs, with a limit of one ACL per packet direction per ACL type. IP fragment handling OS10 supports a configurable option to explicitly deny IP fragmented packets, particularly for the second and subsequent packets. This option extends the existing ACL command syntax with the fragments keyword for all Layer 3 (L3) rules: • Second and subsequent fragments are allowed because you cannot apply a L3 rule to these fragments. If the packet is to be denied eventually, the first fragment must be denied and the packet as a whole cannot be reassembled. • The system applies implicit permit for the second and subsequent fragment prior to the implicit deny. • If you configure an explicit deny, the second and subsequent fragments do not hit the implicit permit rule for fragments. IP fragments ACL When a packet exceeds the maximum packet size, the packet is fragmented into a number of smaller packets that contain portions of the contents of the original packet. This packet flow begins with an initial packet that contains all of the Layer 3 (L3) and Layer 4 (L4) header information contained in the original packet, and is followed by a number of packets that contain only the L3 header information. This packet flow contains all of the information from the original packet distributed through packets that are small enough to avoid the maximum packet size limit. This provides a particular problem for ACL processing. If the ACL filters based on L4 information, the non-initial packets within the fragmented packet flow will not match the L4 information, even if the original packet would have matched the filter. Because of this filtering, packets are not processed by the ACL. Access Control Lists 373

Section	Page
OS10 Enterprise Edition User Guide Release 10.3.2E(R2)	3
Getting Started	18
Download OS10 image and license	18
Installation	20
Automatic installation	21
Manual installation	21
Log into OS10	22
Install OS10 license	22
Remote access	23
Configure Management IP address	24
Management Route Configuration	24
Configure user name and password	25
Upgrade OS10	25
CLI Basics	25
User accounts	25
Key CLI features	26
CLI command modes	26
CLI command hierarchy	26
CLI command categories	27
CONFIGURATION Mode	27
Command help	27
Check device status	29
Candidate configuration	31
Change to transaction-based configuration	34
Back up or restore configuration	34
Reload system image	35
Filter show commands	35
Alias command	36
Batch mode commands	38
Linux shell commands	38
SSH commands	39
OS9 environment commands	39
Common commands	40
alias	40
batch	41
boot	42
commit	42
configure	42
copy	43
delete	44
dir	44
discard	45
do	45
feature config-os9-style	46
exit	46
license	47
lock	47
management route	48
move	48
no	49
reload	49
show alias	49
show boot	50
show candidate-configuration	51
show environment	53
show inventory	54
show ip management-route	54
show ipv6 management-route	55
show license status	55
show running-configuration	56
show startup-configuration	58
show system	59
show version	61
start	62
system	62
system identifier	62
terminal	63
traceroute	63
unlock	64
write	65
Interfaces	66
Ethernet interfaces	66
L2 mode configuration	66
L3 mode configuration	67
Management interface	67
VLAN interfaces	68
Loopback interfaces	68
Port-channel interfaces	69
Create port-channel	69
Add port member	69
Minimum links	70
Assign Port Channel IP Address	70
Remove or disable port-channel	71
Load balance traffic	71
Change hash algorithm	72
Configure interface ranges	72
Forward error correction	73
View interface configuration	74
Interface commands	75
channel-group	75
description (Interface)	76
duplex	76
fec	77
interface breakout	77
interface ethernet	78
interface loopback	78
interface mgmt	79
interface null	79
interface port-channel	79
interface range	80
interface vlan	80
link-bundle-utilization	81
mgmt	81
mtu	81
show interface	82
show link-bundle-utilization	83
show port-channel summary	84
show vlan	84
shutdown	85
speed (Management)	85
switchport access vlan	86
switchport mode	86
switchport trunk allowed vlan	87
Layer 2	88
802.1X	88
Port authentication	89
EAP over RADIUS	90
Configure 802.1X	90
Enable 802.1X	91
Identity retransmissions	92
Failure quiet period	93
Port control mode	93
Reauthenticate port	94
Configure timeouts	95
802.1X commands	96
Link aggregation control protocol	101
Modes	101
Configuration	101
Interfaces	102
Rates	102
Sample configuration	103
LACP commands	106
Link layer discovery protocol	112
Protocol data units	112
Optional TLVs	113
Organizationally-specific TLVs	114
Media endpoint discovery	115
Network connectivity device	115
LLDP-MED capabilities TLV	115
Network policies TLVs	116
Define network policies	117
Packet timer values	117
Disable and re-enable LLDP	118
Advertise TLVs	119
Network policy advertisement	119
Fast start repeat count	120
View LLDP configuration	120
Adjacent agent advertisements	121
Time to live	122
LLDP commands	123
Media Access Control	134
Static MAC Address	135
MAC Address Table	135
Clear MAC Address Table	135
MAC Commands	136
Multiple spanning-tree protocol	138
Configure MST protocol	139
Create instances	140
Root selection	141
Non-Dell hardware	142
Region name or revision	142
Modify parameters	142
Interface parameters	143
Forward traffic	144
Spanning-tree extensions	144
MST commands	146
Rapid per-VLAN spanning-tree plus	154
Load balance and root selection	155
Enable RPVST+	156
Select root bridge	156
Root assignment	158
Loop guard	158
Global parameters	159
RPVST+ commands	159
Rapid spanning-tree protocol	166
Enable globally	166
Global parameters	167
Interface parameters	168
Root bridge selection	169
EdgePort forward traffic	170
Spanning-tree extensions	170
RSTP commands	172
Virtual LANs	177
Default VLAN	178
Create or remove VLANs	178
Access mode	179
Trunk mode	180
Assign IP address	181
View VLAN configuration	182
VLAN commands	183
Port monitoring	184
Local port monitoring	184
Remote port monitoring	185
Port monitoring commands	187
Layer 3	190
Border gateway protocol	190
Sessions and peers	191
Route reflectors	192
Multiprotocol BGP	193
Attributes	193
Selection criteria	193
Weight and local preference	194
Multiexit discriminators	195
Origin	195
AS path and next-hop	196
Best path selection	196
More path support	197
Advertise cost	197
4-Byte AS numbers	198
AS number migration	198
Configure border gateway protocol	199
Enable BGP	199
Configure Dual Stack	201
Peer templates	201
Neighbor fall-over	203
Fast external fallover	204
Passive peering	206
Local AS	206
AS number limit	207
Redistribute routes	208
Additional paths	208
MED attributes	209
Local preference attribute	209
Weight attribute	210
Enable multipath	211
Route-map filters	211
Route reflector clusters	211
Aggregate routes	212
Confederations	213
Route dampening	214
Timers	215
Neighbor soft-reconfiguration	215
BGP commands	216
Equal cost multi-path	241
Load balancing	241
ECMP commands	241
IPv4 routing	244
Assign interface IP address	244
Configure static routing	245
Address resolution protocol	246
IPv4 routing commands	246
IPv6 routing	250
Stateless autoconfiguration	250
IPv6 addresses	251
Static IPv6 routing	252
View IPv6 information	253
IPv6 commands	253
Open shortest path first	256
Autonomous system areas	257
Areas, networks, and neighbors	257
Router types	258
Designated and backup designated routers	259
Link-state advertisements	259
Router priority	260
OSPFv2	261
OSPFv3	291
Object tracking manager	303
Interface tracking	304
Host tracking	305
Set tracking delays	306
Object tracking	306
View tracked objects	306
OTM commands	307
Policy-based routing	310
Policy-based route-maps	310
Access-list to match route-map	310
Set address to match route-map	310
Assign route-map to interface	311
View PBR information	311
PBR commands	312
Virtual router redundancy protocol	314
Configuration	315
Create virtual router	316
Group version	316
Virtual IP addresses	317
Configure virtual IP address	317
Set group priority	318
Authentication	319
Disable preempt	319
Advertisement interval	320
Interface/object tracking	321
Configure tracking	321
VRRP commands	322
System management	328
Dynamic host configuration protocol	328
Packet format and options	328
Configure Server	329
Automatic address allocation	330
Hostname resolution	331
Manual binding entries	332
View DHCP Information	333
System domain name and list	333
DHCP commands	334
DNS commands	339
Network time protocol	341
Enable NTP	341
Broadcasts	342
Source IP address	342
Authentication	343
NTP commands	344
System clock	348
System Clock commands	348
User session management	349
User session management commands	350
Telnet server	351
Telnet commands	351
Security	352
Role-based access control	352
RADIUS authentication	353
RADIUS server settings	353
System-defined user roles	354
Assign user role	354
SSH Server	355
Security commands	355
Simple network management protocol	363
SNMP commands	363
OS10 image upgrade	365
Boot system partition	366
Upgrade commands	366
Access Control Lists	372
IP ACLs	372
MAC ACLs	373
IP fragment handling	373
IP fragments ACL	373
L3 ACL rules	374
Permit ACL with L3 information only	374
Deny ACL with L3 information only	374
Permit all packets from host	374
Permit only first fragments and non-fragmented packets from host	374
Assign sequence number to filter	375
User-provided sequence number	375
Auto-generated sequence number	375
L2 and L3 ACLs	375
Assign and apply ACL filters	376
Ingress ACL filters	377
Egress ACL filters	377
Clear access-list counters	378
IP prefix-lists	378
Route-maps	379
Match routes	380
Set conditions	380
continue Clause	381
ACL flow-based monitoring	381
Flow-based mirroring	381
Enable flow-based monitoring	382
ACL commands	383
clear ip access-list counters	383
clear ipv6 access-list counters	383
clear mac access-list counters	384
deny	384
deny (IPv6)	385
deny (MAC)	385
deny icmp	386
deny icmp (IPv6)	386
deny ip	387
deny ipv6	387
deny tcp	388
deny tcp (IPv6)	389
deny udp	389
deny udp (IPv6)	390
description	391
ip access-group	391
ip access-list	392
ip as-path deny	392
ip as-path permit	392
ip community-list standard deny	393
ip community–list standard permit	393
ip extcommunity-list standard deny	394
ip extcommunity-list standard permit	394
ip prefix-list description	395
ip prefix-list deny	395
ip prefix-list permit	395
ip prefix-list seq deny	396
ip prefix-list seq permit	396
ipv6 access-group	397
ipv6 access-list	397
ipv6 prefix-list deny	398
ipv6 prefix-list description	398
ipv6 prefix-list permit	398
ipv6 prefix-list seq deny	399
ipv6 prefix-list seq permit	399
mac access-group	400
mac access-list	400
permit	400
permit (IPv6)	401
permit (MAC)	402
permit icmp	402
permit icmp (IPv6)	403
permit ip	403
permit ipv6	404
permit tcp	404
permit tcp (IPv6)	405
permit udp	406
permit udp (IPv6)	406
remark	407
seq deny	408
seq deny (IPv6)	408
seq deny (MAC)	409
seq deny icmp	410
seq deny icmp (IPv6)	410
seq deny ip	411
seq deny ipv6	411
seq deny tcp	412
seq deny tcp (IPv6)	413
seq deny udp	414
seq deny udp (IPv6)	415
seq permit	416
seq permit (IPv6)	416
seq permit (MAC)	417
seq permit icmp	417
seq permit icmp (IPv6)	418
seq permit ip	419
seq permit ipv6	419
seq permit tcp	420
seq permit tcp (IPv6)	421
seq permit udp	422
seq permit udp (IPv6)	423
show access-group	423
show access-lists	424
show ip as-path-access-list	425
show ip community-list	426
show ip extcommunity-list	426
show ip prefix-list	426
Route-map commands	427
continue	427
match as-path	427
match community	428
match extcommunity	428
match interface	428
match ip address	429
match ip next-hop	429
match ipv6 address	430
match ipv6 next-hop	430
match metric	430
match origin	431
match route-type	431
match tag	432
route-map	432
set comm-list delete	432
set community	433
set extcomm-list delete	433
set extcommunity	434
set local-preference	434
set metric	434
set metric-type	435
set next-hop	436
set origin	436
set tag	436
set weight	437
show route-map	437
Quality of service	438
Configure quality of service	438
Class-map configuration	440
Policy-map configuration	440
Interface policy-map	441
Control-plane policy-map	442
System policy-map	442
Ingress traffic classification	442
Queue selection	443
Strict priority queuing	444
Class of service or dot1p classification	445
DSCP classification	446
MAC address classification	446
VLAN classification	447
IP access-group classification	448
IP precedence classification	448
Mark traffic	449
Class of service marking	449
DSCP marking	450
Group marking	450
Traffic metering	451
Bandwidth allocation	451
Service-policy rate-shaping	452
Policy-based rate-policing	453
Storm control	454
Control-plane policing	454
Configure control-plane policing	455
Assign service-policy	456
View configuration	456
Queue management	457
Verify configuration	458
Egress queue statistics	459
QoS commands	459
bandwidth	460
class	460
class-map	460
clear interface	461
clear qos statistics	461
clear qos statistics type	462
control-plane	462
flowcontrol	463
match	463
match cos	464
match dscp	464
match precedence	465
match queue	465
match vlan	465
pause	466
police	467
policy-map	467

Match case Limit results 1 per page

•

Source and destination TCP port number

•

Source and destination UDP port number

For ACL, TCP, and UDP

ﬁlters,

match criteria on

speciﬁc

TCP or UDP ports. For ACL TCP

ﬁlters,

you can also match criteria on established

TCP sessions.

When creating an ACL, the sequence of the

ﬁlters

is important. You can assign sequence numbers to the

ﬁlters

as you enter them or OS10

can assign numbers in the order you create the

ﬁlters.

The sequence numbers display in the

show running-configuration

and

show ip access-lists [in | out]

command output.

Ingress and egress hot-lock ACLs allow you to append or delete new rules into an existing ACL without disrupting

traﬃc

ﬂow.

Existing

entries in the CAM

shuﬄe

to accommodate the new entries. Hot-lock ACLs are enabled by default and support ACLs on all platforms.

NOTE:

Hot-lock ACLs support ingress ACLs only.

MAC ACLs

ﬁlter

traﬃc

on the Layer 2 (L2) header of a packet. This

traﬃc

ﬁltering

is based on:

Source MAC packet

address

MAC address range—address mask in 3x4 dotted hexadecimal notation, and

any

to denote that the rule matches

all source addresses.

Destination MAC

packet address

MAC address range—address-mask in 3x4 dotted hexadecimal notation, and

any

to denote that the rule matches

all destination addresses.

Packet protocol

Set by its

EtherType

ﬁeld

contents and Assigned protocol number for all protocols.

VLAN ID

Set in the packet header

Class of service

Present in the packet header

IPv4/IPv6 and MAC ACLs apply separately for inbound and outbound packets. You can assign an interface to multiple ACLs, with a limit of

one ACL per packet direction per ACL type.

IP fragment handling

OS10 supports a

conﬁgurable

option to explicitly deny IP fragmented packets, particularly for the second and subsequent packets. This

option extends the existing ACL command syntax with the

fragments

keyword for all Layer 3 (L3) rules:

•

Second and subsequent fragments are allowed because you cannot apply a L3 rule to these fragments. If the packet is to be denied

eventually, the

ﬁrst

fragment must be denied and the packet as a whole cannot be reassembled.

•

The system applies implicit permit for the second and subsequent fragment prior to the implicit deny.

•

If you

conﬁgure

explicit

deny, the second and subsequent fragments do not hit the implicit permit rule for fragments.

IP fragments ACL

When a packet exceeds the maximum packet size, the packet is fragmented into a number of smaller packets that contain portions of the

contents of the original packet. This packet

ﬂow

begins with an initial packet that contains all of the Layer 3 (L3) and Layer 4 (L4) header

information contained in the original packet, and is followed by a number of packets that contain only the L3 header information.

This packet

ﬂow

contains all of the information from the original packet distributed through packets that are small enough to avoid the

maximum packet size limit. This provides a particular problem for ACL processing.

If the ACL

ﬁlters

based on L4 information, the non-initial packets within the fragmented packet

ﬂow

will not match the L4 information, even

if the original packet would have matched the

ﬁlter.

Because of this

ﬁltering,

packets are not processed by the ACL.

Access Control Lists

373