Home » Dell Manuals » Hubs & Switches » Dell S5148F-ON » Manual Viewer

Dell S5148F-ON OS10 Enterprise Edition User Guide Release 10.3.2E-R1 - Page 372

Assign sequence number to filter, User-provided sequence number, Auto-generated sequence number

Add to My Manuals
Save this manual to your list of manuals

Page 372 highlights

To log all packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a similar configuration. When an ACL filters packets, it looks at the FO to determine whether it is a fragment: • FO = 0 means it is either the first fragment or the packet is a non-fragment • FO > 0 means it is the fragments of the original packet Assign sequence number to filter IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP host addresses. Traffic passes through the filter by filter sequence. Configure the IP ACL by first entering IP ACCESS-LIST mode and then assigning a sequence number to the filter. User-provided sequence number • Enter IP ACCESS LIST mode by creating an IP ACL in CONFIGURATION mode. ip access-list access-list-name • Configure a drop or forward filter in IPV4-ACL mode. seq sequence-number {deny | permit | remark} {ip-protocol-number | icmp | ip | protocol | tcp | udp} {source prefix | source mask | any | host} {destination mask | any | host ip-address} [count [byte]] [fragments] Auto-generated sequence number If you are creating an ACL with only one or two filters, you can let the system assign a sequence number based on the order in which you configure the filters. The system assigns sequence numbers to filters using multiples of ten values. • Configure a deny or permit filter to examine IP packets in IPV4-ACL mode. {deny | permit} {source mask | any | host ip-address} [count [byte]] [fragments] • Configure a deny or permit filter to examine TCP packets in IPV4-ACL mode. {deny | permit} tcp {source mask] | any | host ip-address}} [count [byte]] [fragments] • Configure a deny or permit filter to examine UDP packets in IPV4-ACL mode. {deny | permit} udp {source mask | any | host ip-address}} [count [byte]] [fragments] Assign sequence number to filter OS10(config)# ip access-list acl1 OS10(conf-ipv4-acl)# seq 5 deny tcp any any capture session 1 count View ACLs and packets processed through ACL OS10# show ip access-lists in Ingress IP access-list acl1 Active on interfaces : ethernet1/1/5 seq 5 permit ip any any count (10000 packets) L2 and L3 ACLs Configure both L2 and L3 ACLs on an interface in L2 mode. Rules apply if you use both L2 and L3 ACLs on an interface. • L3 ACL filters packets and then the L2 ACL filters packets • Egress L3 ACL filters packets Rules apply in order: 372 Access Control Lists

Section	Page
OS10 Enterprise Edition User Guide Release 10.3.2E(R1)	3
Getting Started	17
Download OS10 image and license	17
Installation	19
Automatic installation	19
Manual installation	20
Log into OS10	20
Install OS10 license	21
Remote access	22
Configure Management IP address	22
Management Route Configuration	23
Configure user name and password	23
Upgrade OS10	24
CLI Basics	24
User accounts	24
Key CLI features	24
CLI command modes	25
CLI command hierarchy	25
CLI command categories	25
CONFIGURATION Mode	26
Command help	26
Check device status	28
Candidate configuration	30
Change to transaction-based configuration	33
Back up or restore configuration	33
Reload system image	34
Filter show commands	34
Alias command	35
Batch mode commands	36
Linux shell commands	37
SSH commands	38
OS9 environment commands	38
Common commands	39
alias	39
batch	40
boot	40
commit	41
configure	41
copy	42
delete	43
dir	43
discard	44
do	44
feature config-os9-style	45
exit	45
license	46
lock	46
management route	47
move	47
no	48
reload	48
show alias	48
show boot	49
show candidate-configuration	50
show environment	52
show inventory	53
show ip management-route	53
show ipv6 management-route	54
show license status	54
show running-configuration	55
show startup-configuration	57
show system	58
show version	60
start	61
system	61
system identifier	61
terminal	62
traceroute	62
unlock	63
write	64
Interfaces	65
Ethernet interfaces	65
L2 mode configuration	65
L3 mode configuration	66
Management interface	66
VLAN interfaces	67
Loopback interfaces	67
Port-channel interfaces	68
Create port-channel	68
Add port member	68
Minimum links	69
Assign Port Channel IP Address	69
Remove or disable port-channel	70
Load balance traffic	70
Change hash algorithm	71
Configure interface ranges	71
Forward error correction	72
View interface configuration	73
Interface commands	74
channel-group	74
description (Interface)	75
duplex	75
fec	76
interface breakout	76
interface ethernet	77
interface loopback	77
interface mgmt	77
interface null	78
interface port-channel	78
interface range	79
interface vlan	79
link-bundle-utilization	80
mgmt	80
mtu	80
show interface	81
show link-bundle-utilization	82
show port-channel summary	83
show vlan	83
shutdown	84
speed (Management)	84
switchport access vlan	85
switchport mode	85
switchport trunk allowed vlan	86
Layer 2	87
802.1X	87
Port authentication	88
EAP over RADIUS	89
Configure 802.1X	89
Enable 802.1X	90
Identity retransmissions	91
Failure quiet period	92
Port control mode	92
Reauthenticate port	93
Configure timeouts	94
802.1X commands	95
Link aggregation control protocol	100
Modes	100
Configuration	100
Interfaces	101
Rates	101
Sample configuration	102
LACP commands	105
Link layer discovery protocol	111
Protocol data units	111
Optional TLVs	112
Organizationally-specific TLVs	113
Media endpoint discovery	114
Network connectivity device	114
LLDP-MED capabilities TLV	114
Network policies TLVs	115
Define network policies	116
Packet timer values	116
Disable and re-enable LLDP	117
Advertise TLVs	118
Network policy advertisement	118
Fast start repeat count	119
View LLDP configuration	119
Adjacent agent advertisements	120
Time to live	121
LLDP commands	122
Media Access Control	133
Static MAC Address	134
MAC Address Table	134
Clear MAC Address Table	134
MAC Commands	135
Multiple spanning-tree protocol	137
Configure MST protocol	138
Create instances	139
Root selection	140
Non-Dell hardware	141
Region name or revision	141
Modify parameters	141
Interface parameters	142
Forward traffic	143
Spanning-tree extensions	143
MST commands	145
Rapid per-VLAN spanning-tree plus	153
Load balance and root selection	154
Enable RPVST+	155
Select root bridge	155
Root assignment	157
Loop guard	157
Global parameters	158
RPVST+ commands	158
Rapid spanning-tree protocol	165
Enable globally	165
Global parameters	166
Interface parameters	167
Root bridge selection	168
EdgePort forward traffic	169
Spanning-tree extensions	169
RSTP commands	171
Virtual LANs	176
Default VLAN	177
Create or remove VLANs	177
Access mode	178
Trunk mode	179
Assign IP address	180
View VLAN configuration	181
VLAN commands	182
Port monitoring	183
Local port monitoring	183
Port monitoring commands	184
Layer 3	187
Border gateway protocol	187
Sessions and peers	188
Route reflectors	189
Multiprotocol BGP	190
Attributes	190
Selection criteria	190
Weight and local preference	191
Multiexit discriminators	192
Origin	192
AS path and next-hop	193
Best path selection	193
More path support	194
Advertise cost	194
4-Byte AS numbers	195
AS number migration	195
Configure border gateway protocol	196
Enable BGP	196
Configure Dual Stack	198
Peer templates	198
Neighbor fall-over	200
Fast external fallover	201
Passive peering	203
Local AS	203
AS number limit	204
Redistribute routes	205
Additional paths	205
MED attributes	206
Local preference attribute	206
Weight attribute	207
Enable multipath	208
Route-map filters	208
Route reflector clusters	208
Aggregate routes	209
Confederations	210
Route dampening	211
Timers	212
Neighbor soft-reconfiguration	212
BGP commands	213
Equal cost multi-path	238
Load balancing	238
ECMP commands	238
IPv4 routing	241
Assign interface IP address	241
Configure static routing	242
Address resolution protocol	243
IPv4 routing commands	243
IPv6 routing	247
Stateless autoconfiguration	247
IPv6 addresses	248
Static IPv6 routing	249
View IPv6 information	250
IPv6 commands	250
Open shortest path first	254
Autonomous system areas	254
Areas, networks, and neighbors	254
Router types	255
Designated and backup designated routers	256
Link-state advertisements	256
Router priority	257
OSPFv2	258
OSPFv3	288
Object tracking manager	300
Interface tracking	301
Host tracking	302
Set tracking delays	303
Object tracking	303
View tracked objects	303
OTM commands	304
Policy-based routing	307
Policy-based route-maps	307
Access-list to match route-map	307
Set address to match route-map	307
Assign route-map to interface	308
View PBR information	308
PBR commands	309
Virtual router redundancy protocol	311
Configuration	312
Create virtual router	313
Group version	313
Virtual IP addresses	314
Configure virtual IP address	314
Set group priority	315
Authentication	316
Disable preempt	316
Advertisement interval	317
Interface/object tracking	318
Configure tracking	318
VRRP commands	319
System management	325
Dynamic host configuration protocol	325
Packet format and options	325
Configure Server	326
Automatic address allocation	327
Hostname resolution	328
Manual binding entries	329
View DHCP Information	330
System domain name and list	330
DHCP commands	331
DNS commands	336
Network time protocol	338
Enable NTP	338
Broadcasts	339
Source IP address	339
Authentication	340
NTP commands	341
System clock	345
System Clock commands	345
User session management	346
User session management commands	347
Telnet server	348
Telnet commands	348
Security	349
Role-based access control	349
RADIUS authentication	350
RADIUS server settings	350
System-defined user roles	351
Assign user role	351
SSH Server	352
Security commands	352
Simple network management protocol	360
SNMP commands	360
OS10 image upgrade	362
Boot system partition	363
Upgrade commands	363
Access Control Lists	369
IP ACLs	369
MAC ACLs	370
IP fragment handling	370
IP fragments ACL	370
L3 ACL rules	371
Permit ACL with L3 information only	371
Deny ACL with L3 information only	371
Permit all packets from host	371
Permit only first fragments and non-fragmented packets from host	371
Assign sequence number to filter	372
User-provided sequence number	372
Auto-generated sequence number	372
L2 and L3 ACLs	372
Assign and apply ACL filters	373
Ingress ACL filters	374
Egress ACL filters	374
Clear access-list counters	375
IP prefix-lists	375
Route-maps	376
Match routes	377
Set conditions	377
continue Clause	378
ACL flow-based monitoring	378
Flow-based mirroring	378
Enable flow-based monitoring	379
ACL commands	380
clear ip access-list counters	380
clear ipv6 access-list counters	380
clear mac access-list counters	381
deny	381
deny (IPv6)	382
deny (MAC)	382
deny icmp	383
deny icmp (IPv6)	383
deny ip	384
deny ipv6	384
deny tcp	385
deny tcp (IPv6)	386
deny udp	386
deny udp (IPv6)	387
description	388
ip access-group	388
ip access-list	389
ip as-path deny	389
ip as-path permit	389
ip community-list standard deny	390
ip community–list standard permit	390
ip extcommunity-list standard deny	391
ip extcommunity-list standard permit	391
ip prefix-list description	392
ip prefix-list deny	392
ip prefix-list permit	392
ip prefix-list seq deny	393
ip prefix-list seq permit	393
ipv6 access-group	394
ipv6 access-list	394
ipv6 prefix-list deny	395
ipv6 prefix-list description	395
ipv6 prefix-list permit	395
ipv6 prefix-list seq deny	396
ipv6 prefix-list seq permit	396
mac access-group	397
mac access-list	397
permit	397
permit (IPv6)	398
permit (MAC)	399
permit icmp	399
permit icmp (IPv6)	400
permit ip	400
permit ipv6	401
permit tcp	401
permit tcp (IPv6)	402
permit udp	403
permit udp (IPv6)	403
remark	404
seq deny	405
seq deny (IPv6)	405
seq deny (MAC)	406
seq deny icmp	407
seq deny icmp (IPv6)	407
seq deny ip	408
seq deny ipv6	408
seq deny tcp	409
seq deny tcp (IPv6)	410
seq deny udp	411
seq deny udp (IPv6)	412
seq permit	413
seq permit (IPv6)	413
seq permit (MAC)	414
seq permit icmp	414
seq permit icmp (IPv6)	415
seq permit ip	416
seq permit ipv6	416
seq permit tcp	417
seq permit tcp (IPv6)	418
seq permit udp	419
seq permit udp (IPv6)	420
show access-group	420
show access-lists	421
show ip as-path-access-list	422
show ip community-list	423
show ip extcommunity-list	423
show ip prefix-list	423
Route-map commands	424
continue	424
match as-path	424
match community	425
match extcommunity	425
match interface	425
match ip address	426
match ip next-hop	426
match ipv6 address	427
match ipv6 next-hop	427
match metric	427
match origin	428
match route-type	428
match tag	429
route-map	429
set comm-list delete	429
set community	430
set extcomm-list delete	430
set extcommunity	431
set local-preference	431
set metric	431
set metric-type	432
set next-hop	433
set origin	433
set tag	433
set weight	434
show route-map	434
Quality of service	435
Configure quality of service	435
Class-map configuration	437
Policy-map configuration	437
Interface policy-map	438
Control-plane policy-map	439
System policy-map	439
Ingress traffic classification	439
Queue selection	440
Strict priority queuing	441
Class of service or dot1p classification	442
DSCP classification	443
MAC address classification	443
VLAN classification	444
IP access-group classification	445
IP precedence classification	445
Mark traffic	446
Class of service marking	446
DSCP marking	447
Group marking	447
Traffic metering	448
Bandwidth allocation	448
Service-policy rate-shaping	449
Policy-based rate-policing	450
Control-plane policing	451
Configure control-plane policing	451
Assign service-policy	452
View configuration	453
Queue management	453
Verify configuration	454
Egress queue statistics	455
QoS commands	456
bandwidth	456
class	456
class-map	457
clear interface	457
clear qos statistics	458
clear qos statistics type	458
control-plane	458
flowcontrol	459
match	459
match cos	460
match dscp	460
match precedence	461
match queue	461
match vlan	462
mtu	462
pause	462
police	463
policy-map	464
priority	464

Match case Limit results 1 per page

To log all packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a similar

conﬁguration.

When an ACL

ﬁlters

packets, it looks at the FO to determine whether it is a fragment:

•

FO = 0 means it is either the

ﬁrst

fragment or the packet is a non-fragment

•

FO > 0 means it is the fragments of the original packet

Assign sequence number to

ﬁlter

IP ACLs

ﬁlter

on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP

host addresses.

Traﬃc

passes through the

ﬁlter

sequence.

Conﬁgure

the IP ACL by

ﬁrst

entering IP ACCESS-LIST mode and then

assigning a sequence number to the

ﬁlter.

User-provided sequence number

•

Enter IP ACCESS LIST mode by creating an IP ACL in CONFIGURATION mode.

ip access-list

access-list-name

•

Conﬁgure

a drop or forward

ﬁlter

in IPV4-ACL mode.

seq

sequence-number

{deny | permit | remark} {

ip-protocol-number

| icmp | ip | protocol | tcp

| udp} {

source prefix

source mask

| any | host} {

destination mask

| any | host

ip-address

}

[count [byte]] [fragments]

Auto-generated sequence number

If you are creating an ACL with only one or two

ﬁlters,

you can let the system assign a sequence number based on the order in which you

conﬁgure

the

ﬁlters.

The system assigns sequence numbers to

ﬁlters

using multiples of ten values.

•

Conﬁgure

a deny or permit

ﬁlter

to examine IP packets in IPV4-ACL mode.

{deny | permit} {

source mask

| any | host

ip-address

} [count [byte]] [fragments]

•

Conﬁgure

a deny or permit

ﬁlter

to examine TCP packets in IPV4-ACL mode.

{deny | permit} tcp {

source mask

] | any | host

ip-address

}} [count [byte]] [fragments]

•

Conﬁgure

a deny or permit

ﬁlter

to examine UDP packets in IPV4-ACL mode.

{deny | permit} udp {

source mask

| any | host

ip-address

}} [count [byte]] [fragments]

Assign sequence number to

ﬁlter

OS10(config)# ip access-list acl1

OS10(conf-ipv4-acl)# seq 5 deny tcp any any capture session 1 count

View ACLs and packets processed through ACL

OS10# show ip access-lists in

Ingress IP access-list acl1

Active on interfaces :

ethernet1/1/5

seq 5 permit ip any any count (10000 packets)

L2 and L3 ACLs

Conﬁgure

both L2 and L3 ACLs on an interface in L2 mode. Rules apply if you use both L2 and L3 ACLs on an interface.

•

L3 ACL

ﬁlters

packets and then the L2 ACL

ﬁlters

packets

•

Egress L3 ACL

ﬁlters

packets

Rules apply in order:

372

Access Control Lists