Home » Dell Manuals » Hubs & Switches » Dell S5148F-ON » Manual Viewer

Dell S5148F-ON OS10 Enterprise Edition User Guide Release 10.3.2E-R2 - Page 374

L3 ACL rules, Permit ACL with L3 information only, Permit all packets from host

Add to My Manuals
Save this manual to your list of manuals

Page 374 highlights

The examples show denying second and subsequent fragments, and permitting all packets on an interface. These ACLs deny all second and subsequent fragments with destination IP 10.1.1.1, but permit the first fragment and non-fragmented packets with destination IP 10.1.1.1. The second example shows ACLs which permits all packets - both fragmented and non-fragmented - with destination IP 10.1.1.1. Deny second and subsequent fragments OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# deny ip any 10.1.1.1/32 fragments OS10(conf-ipv4-acl)# permit ip any 10.1.1.1/32 Permit all packets on interface OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# permit ip any 10.1.1.1/32 OS10(conf-ipv4-acl)# deny ip any 10.1.1.1/32 fragments L3 ACL rules Use ACL commands for L3 packet filtering. TCP packets from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all others are denied. TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all TCP non-first fragments from host 10.1.1.1 are permitted. All other IP packets that are non-first fragments are denied. Permit ACL with L3 information only If a packet's L3 information matches the information in the ACL, the packet's fragment offset (FO) is checked: • If a packet's FO > 0, the packet is permitted • If a packet's FO = 0, the next ACL entry processes Deny ACL with L3 information only If a packet's L3 information does not match the L3 information in the ACL, the packet's FO is checked: • If a packet's FO > 0, the packet is denied • If a packet's FO = 0, the next ACL line processes Permit all packets from host OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24 OS10(conf-ipv4-acl)# deny ip any any fragment Permit only first fragments and non-fragmented packets from host OS10(config)# ip access-list ABC OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24 OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any fragment OS10(conf-ipv4-acl)# deny ip any any fragment 374 Access Control Lists

Section	Page
OS10 Enterprise Edition User Guide Release 10.3.2E(R2)	3
Getting Started	18
Download OS10 image and license	18
Installation	20
Automatic installation	21
Manual installation	21
Log into OS10	22
Install OS10 license	22
Remote access	23
Configure Management IP address	24
Management Route Configuration	24
Configure user name and password	25
Upgrade OS10	25
CLI Basics	25
User accounts	25
Key CLI features	26
CLI command modes	26
CLI command hierarchy	26
CLI command categories	27
CONFIGURATION Mode	27
Command help	27
Check device status	29
Candidate configuration	31
Change to transaction-based configuration	34
Back up or restore configuration	34
Reload system image	35
Filter show commands	35
Alias command	36
Batch mode commands	38
Linux shell commands	38
SSH commands	39
OS9 environment commands	39
Common commands	40
alias	40
batch	41
boot	42
commit	42
configure	42
copy	43
delete	44
dir	44
discard	45
do	45
feature config-os9-style	46
exit	46
license	47
lock	47
management route	48
move	48
no	49
reload	49
show alias	49
show boot	50
show candidate-configuration	51
show environment	53
show inventory	54
show ip management-route	54
show ipv6 management-route	55
show license status	55
show running-configuration	56
show startup-configuration	58
show system	59
show version	61
start	62
system	62
system identifier	62
terminal	63
traceroute	63
unlock	64
write	65
Interfaces	66
Ethernet interfaces	66
L2 mode configuration	66
L3 mode configuration	67
Management interface	67
VLAN interfaces	68
Loopback interfaces	68
Port-channel interfaces	69
Create port-channel	69
Add port member	69
Minimum links	70
Assign Port Channel IP Address	70
Remove or disable port-channel	71
Load balance traffic	71
Change hash algorithm	72
Configure interface ranges	72
Forward error correction	73
View interface configuration	74
Interface commands	75
channel-group	75
description (Interface)	76
duplex	76
fec	77
interface breakout	77
interface ethernet	78
interface loopback	78
interface mgmt	79
interface null	79
interface port-channel	79
interface range	80
interface vlan	80
link-bundle-utilization	81
mgmt	81
mtu	81
show interface	82
show link-bundle-utilization	83
show port-channel summary	84
show vlan	84
shutdown	85
speed (Management)	85
switchport access vlan	86
switchport mode	86
switchport trunk allowed vlan	87
Layer 2	88
802.1X	88
Port authentication	89
EAP over RADIUS	90
Configure 802.1X	90
Enable 802.1X	91
Identity retransmissions	92
Failure quiet period	93
Port control mode	93
Reauthenticate port	94
Configure timeouts	95
802.1X commands	96
Link aggregation control protocol	101
Modes	101
Configuration	101
Interfaces	102
Rates	102
Sample configuration	103
LACP commands	106
Link layer discovery protocol	112
Protocol data units	112
Optional TLVs	113
Organizationally-specific TLVs	114
Media endpoint discovery	115
Network connectivity device	115
LLDP-MED capabilities TLV	115
Network policies TLVs	116
Define network policies	117
Packet timer values	117
Disable and re-enable LLDP	118
Advertise TLVs	119
Network policy advertisement	119
Fast start repeat count	120
View LLDP configuration	120
Adjacent agent advertisements	121
Time to live	122
LLDP commands	123
Media Access Control	134
Static MAC Address	135
MAC Address Table	135
Clear MAC Address Table	135
MAC Commands	136
Multiple spanning-tree protocol	138
Configure MST protocol	139
Create instances	140
Root selection	141
Non-Dell hardware	142
Region name or revision	142
Modify parameters	142
Interface parameters	143
Forward traffic	144
Spanning-tree extensions	144
MST commands	146
Rapid per-VLAN spanning-tree plus	154
Load balance and root selection	155
Enable RPVST+	156
Select root bridge	156
Root assignment	158
Loop guard	158
Global parameters	159
RPVST+ commands	159
Rapid spanning-tree protocol	166
Enable globally	166
Global parameters	167
Interface parameters	168
Root bridge selection	169
EdgePort forward traffic	170
Spanning-tree extensions	170
RSTP commands	172
Virtual LANs	177
Default VLAN	178
Create or remove VLANs	178
Access mode	179
Trunk mode	180
Assign IP address	181
View VLAN configuration	182
VLAN commands	183
Port monitoring	184
Local port monitoring	184
Remote port monitoring	185
Port monitoring commands	187
Layer 3	190
Border gateway protocol	190
Sessions and peers	191
Route reflectors	192
Multiprotocol BGP	193
Attributes	193
Selection criteria	193
Weight and local preference	194
Multiexit discriminators	195
Origin	195
AS path and next-hop	196
Best path selection	196
More path support	197
Advertise cost	197
4-Byte AS numbers	198
AS number migration	198
Configure border gateway protocol	199
Enable BGP	199
Configure Dual Stack	201
Peer templates	201
Neighbor fall-over	203
Fast external fallover	204
Passive peering	206
Local AS	206
AS number limit	207
Redistribute routes	208
Additional paths	208
MED attributes	209
Local preference attribute	209
Weight attribute	210
Enable multipath	211
Route-map filters	211
Route reflector clusters	211
Aggregate routes	212
Confederations	213
Route dampening	214
Timers	215
Neighbor soft-reconfiguration	215
BGP commands	216
Equal cost multi-path	241
Load balancing	241
ECMP commands	241
IPv4 routing	244
Assign interface IP address	244
Configure static routing	245
Address resolution protocol	246
IPv4 routing commands	246
IPv6 routing	250
Stateless autoconfiguration	250
IPv6 addresses	251
Static IPv6 routing	252
View IPv6 information	253
IPv6 commands	253
Open shortest path first	256
Autonomous system areas	257
Areas, networks, and neighbors	257
Router types	258
Designated and backup designated routers	259
Link-state advertisements	259
Router priority	260
OSPFv2	261
OSPFv3	291
Object tracking manager	303
Interface tracking	304
Host tracking	305
Set tracking delays	306
Object tracking	306
View tracked objects	306
OTM commands	307
Policy-based routing	310
Policy-based route-maps	310
Access-list to match route-map	310
Set address to match route-map	310
Assign route-map to interface	311
View PBR information	311
PBR commands	312
Virtual router redundancy protocol	314
Configuration	315
Create virtual router	316
Group version	316
Virtual IP addresses	317
Configure virtual IP address	317
Set group priority	318
Authentication	319
Disable preempt	319
Advertisement interval	320
Interface/object tracking	321
Configure tracking	321
VRRP commands	322
System management	328
Dynamic host configuration protocol	328
Packet format and options	328
Configure Server	329
Automatic address allocation	330
Hostname resolution	331
Manual binding entries	332
View DHCP Information	333
System domain name and list	333
DHCP commands	334
DNS commands	339
Network time protocol	341
Enable NTP	341
Broadcasts	342
Source IP address	342
Authentication	343
NTP commands	344
System clock	348
System Clock commands	348
User session management	349
User session management commands	350
Telnet server	351
Telnet commands	351
Security	352
Role-based access control	352
RADIUS authentication	353
RADIUS server settings	353
System-defined user roles	354
Assign user role	354
SSH Server	355
Security commands	355
Simple network management protocol	363
SNMP commands	363
OS10 image upgrade	365
Boot system partition	366
Upgrade commands	366
Access Control Lists	372
IP ACLs	372
MAC ACLs	373
IP fragment handling	373
IP fragments ACL	373
L3 ACL rules	374
Permit ACL with L3 information only	374
Deny ACL with L3 information only	374
Permit all packets from host	374
Permit only first fragments and non-fragmented packets from host	374
Assign sequence number to filter	375
User-provided sequence number	375
Auto-generated sequence number	375
L2 and L3 ACLs	375
Assign and apply ACL filters	376
Ingress ACL filters	377
Egress ACL filters	377
Clear access-list counters	378
IP prefix-lists	378
Route-maps	379
Match routes	380
Set conditions	380
continue Clause	381
ACL flow-based monitoring	381
Flow-based mirroring	381
Enable flow-based monitoring	382
ACL commands	383
clear ip access-list counters	383
clear ipv6 access-list counters	383
clear mac access-list counters	384
deny	384
deny (IPv6)	385
deny (MAC)	385
deny icmp	386
deny icmp (IPv6)	386
deny ip	387
deny ipv6	387
deny tcp	388
deny tcp (IPv6)	389
deny udp	389
deny udp (IPv6)	390
description	391
ip access-group	391
ip access-list	392
ip as-path deny	392
ip as-path permit	392
ip community-list standard deny	393
ip community–list standard permit	393
ip extcommunity-list standard deny	394
ip extcommunity-list standard permit	394
ip prefix-list description	395
ip prefix-list deny	395
ip prefix-list permit	395
ip prefix-list seq deny	396
ip prefix-list seq permit	396
ipv6 access-group	397
ipv6 access-list	397
ipv6 prefix-list deny	398
ipv6 prefix-list description	398
ipv6 prefix-list permit	398
ipv6 prefix-list seq deny	399
ipv6 prefix-list seq permit	399
mac access-group	400
mac access-list	400
permit	400
permit (IPv6)	401
permit (MAC)	402
permit icmp	402
permit icmp (IPv6)	403
permit ip	403
permit ipv6	404
permit tcp	404
permit tcp (IPv6)	405
permit udp	406
permit udp (IPv6)	406
remark	407
seq deny	408
seq deny (IPv6)	408
seq deny (MAC)	409
seq deny icmp	410
seq deny icmp (IPv6)	410
seq deny ip	411
seq deny ipv6	411
seq deny tcp	412
seq deny tcp (IPv6)	413
seq deny udp	414
seq deny udp (IPv6)	415
seq permit	416
seq permit (IPv6)	416
seq permit (MAC)	417
seq permit icmp	417
seq permit icmp (IPv6)	418
seq permit ip	419
seq permit ipv6	419
seq permit tcp	420
seq permit tcp (IPv6)	421
seq permit udp	422
seq permit udp (IPv6)	423
show access-group	423
show access-lists	424
show ip as-path-access-list	425
show ip community-list	426
show ip extcommunity-list	426
show ip prefix-list	426
Route-map commands	427
continue	427
match as-path	427
match community	428
match extcommunity	428
match interface	428
match ip address	429
match ip next-hop	429
match ipv6 address	430
match ipv6 next-hop	430
match metric	430
match origin	431
match route-type	431
match tag	432
route-map	432
set comm-list delete	432
set community	433
set extcomm-list delete	433
set extcommunity	434
set local-preference	434
set metric	434
set metric-type	435
set next-hop	436
set origin	436
set tag	436
set weight	437
show route-map	437
Quality of service	438
Configure quality of service	438
Class-map configuration	440
Policy-map configuration	440
Interface policy-map	441
Control-plane policy-map	442
System policy-map	442
Ingress traffic classification	442
Queue selection	443
Strict priority queuing	444
Class of service or dot1p classification	445
DSCP classification	446
MAC address classification	446
VLAN classification	447
IP access-group classification	448
IP precedence classification	448
Mark traffic	449
Class of service marking	449
DSCP marking	450
Group marking	450
Traffic metering	451
Bandwidth allocation	451
Service-policy rate-shaping	452
Policy-based rate-policing	453
Storm control	454
Control-plane policing	454
Configure control-plane policing	455
Assign service-policy	456
View configuration	456
Queue management	457
Verify configuration	458
Egress queue statistics	459
QoS commands	459
bandwidth	460
class	460
class-map	460
clear interface	461
clear qos statistics	461
clear qos statistics type	462
control-plane	462
flowcontrol	463
match	463
match cos	464
match dscp	464
match precedence	465
match queue	465
match vlan	465
pause	466
police	467
policy-map	467

Match case Limit results 1 per page

The examples show denying second and subsequent fragments, and permitting all packets on an interface. These ACLs deny all second and

subsequent fragments with destination IP 10.1.1.1, but permit the

ﬁrst

fragment and non-fragmented packets with destination IP 10.1.1.1. The

second example shows ACLs which permits all packets — both fragmented and non-fragmented — with destination IP 10.1.1.1.

Deny second and subsequent fragments

OS10(config)# ip access-list ABC

OS10(conf-ipv4-acl)# deny ip any 10.1.1.1/32 fragments

OS10(conf-ipv4-acl)# permit ip any 10.1.1.1/32

Permit all packets on interface

OS10(config)# ip access-list ABC

OS10(conf-ipv4-acl)# permit ip any 10.1.1.1/32

OS10(conf-ipv4-acl)# deny ip any 10.1.1.1/32 fragments

L3 ACL rules

Use ACL commands for L3 packet

ﬁltering.

TCP packets from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all

others are denied.

TCP packets that are

ﬁrst

fragments or non-fragmented from host 10.1.1.1 with the TCP destination port equal to 24 are permitted, and all

TCP

non-ﬁrst

fragments from host 10.1.1.1 are permitted. All other IP packets that are

non-ﬁrst

fragments are denied.

Permit ACL with L3 information only

If a packet’s L3 information matches the information in the ACL, the packet's fragment

oﬀset

(FO) is checked:

•

If a packet's FO > 0, the packet is permitted

•

If a packet's FO = 0, the next ACL entry processes

Deny ACL with L3 information only

If a packet's L3 information does not match the L3 information in the ACL, the packet's FO is checked:

•

If a packet's FO > 0, the packet is denied

•

If a packet's FO = 0, the next ACL line processes

Permit all packets from host

OS10(config)# ip access-list ABC

OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24

OS10(conf-ipv4-acl)# deny ip any any fragment

Permit only

ﬁrst

fragments and non-fragmented packets from

host

OS10(config)# ip access-list ABC

OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24

OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any fragment

OS10(conf-ipv4-acl)# deny ip any any fragment

374

Access Control Lists