Home » HP Manuals » Servers » HP Mellanox SX1018 » Manual Viewer

HP Mellanox SX1018 Mellanox MLNX-OS User Manual for SX1018HP Ethernet Managed - Page 74

Configuring Access Control List, ACL Actions

Add to My Manuals
Save this manual to your list of manuals

Page 74 highlights

Rev 1.6.2 5.9.1 Configuring Access Control List Access Control List (ACL) is configured by the user and is applied to a port once the ACL search engine matches search criteria with a received packet.  To configure ACL: Step 1. Log in as admin. Step 2. Enter config mode. Run: switch > enable switch # configure terminal Step 3. Create a MAC / IPv4 ACL (access-list) entity. switch (config) mac access-list mac-acl switch (config mac access-list mac-acl) # Step 4. Add a MAC / IP rules to the appropriate access-list. switch (config mac access-list mac-acl)seq-number 10 deny 0a:0a:0a:0a:0a:0a mask ff:ff:ff:ff:ff:ff any vlan 6 cos 2 protocol 80 switch (config mac access-list mac-acl) # Step 5. Bind the created access-list to an interface (slot/port or port-channel). switch (config) switch (config) # interface ethernet 1/1 switch (config interface ethernet 1/1) # mac port access-group mac-acl 5.9.2 ACL Actions An ACL action is a set of actions can be activated in case the packet hits the ACL rule.  To modify the VLAN tag of the egress traffic as part of the ACL "permit" rule: Step 1. Create access-list action profile: a.Create an action access-list profile using the command access-list action b.Add rule to map a VLAN using the command vlan-map within the action profile configuration mode Step 2. Create an access-list and bind the action rule: Step 3. a.Create an access-list profile using the command ipv4/mac access-list b.Add access list rule using the command deny/permit (action ) Bind the access-list to an interface using the command ipv4/mac port access-group Create an action profile and add vlan mapping action: switch (config)#access-list action my-action switch (config access-list action my-action) # vlan-map 20 switch (config access-list action my-action) #exit Create an access list and bind rules: switch (config)# mac access-list my-list switch (config mac access-list my-list)# permit any any action my-action switch (config mac access-list my-list)# exit Bind an access-list to a port: Switch (config)# interface ethernet 1/1 Switch (config interface ethernet 1/1)# mac port access-group my-list Mellanox Technologies 74

Section	Page
Mellanox MLNX-OS™ User Manual for SX1018HP Ethernet Managed Blade Switch	1
Table of Contents	3
Document Revision History	6
About this Manual	7
1 Introduction	10
1.1 MLNX-OS Features	10
2 Getting Started	12
2.1 Configuring the Switch for the First Time - Installation Wizard	12
2.1.1 Re-running the Wizard	17
2.2 Starting The Command Line (CLI)	17
2.3 Starting the Web Interface	18
2.4 Licenses	20
2.4.1 Installing MLNX-OS License (CLI)	20
2.4.2 Installing MLNX-OS License (Web)	21
2.4.3 Retrieving Your Lost License Key	23
3 User Interfaces	25
3.1 Command Line Interface (CLI)	25
3.1.1 CLI Modes	25
3.1.2 Syntax Conventions	26
3.1.3 Getting Help	26
3.1.4 Prompt and Response Conventions	27
3.1.5 Using the Negation Form	28
3.1.6 Parameter Key	29
3.2 Web Interface	30
3.2.1 Setup Menu	31
3.2.2 System Menu	32
3.2.3 Security Menu	33
3.2.4 Ports Menu	33
3.2.5 Status Menu	34
3.2.6 IB SM Mgmt	34
3.2.7 Fabric Inspector	35
3.2.8 ETH Mgmt	36
4 System Management	37
4.1 Management Interface	37
4.1.1 Configuring Management Interfaces With Static IP Addresses	37
4.1.2 Configuring IPv6 Address on the Management Interface	37
4.1.3 Dynamic Host Configuration Protocol (DHCP)	37
4.1.4 Default Gateway	38
4.2 Software Management	38
4.2.1 Upgrading MLNX-OS Software	38
4.2.2 Deleting Unused Images	41
4.2.3 Downgrading MLNX-OS Software	42
4.2.3.1 Downloading Image	42
4.2.3.2 Downgrading Image	43
4.2.3.3 Switching to Partition with Older Software Version	44
4.2.4 Upgrading System Firmware	45
4.2.4.1 After Updating MLNX-OS Software	45
4.2.4.2 Importing Firmware and Changing the Default Firmware	45
4.3 File Management	46
4.3.1 Saving a Configuration File	46
4.3.2 Loading a Configuration File	47
4.3.3 Restoring Factory Default Configuration on a Switch System (Single Management Module)	47
4.4 Remote Logging	47
4.4.1 Configuring Remote Syslog to “info” Level	47
4.5 Event Notifications	48
4.5.1 E-mail Notifications	48
4.6 Diagnostics	49
4.6.1 Retrieving Return Codes when Executing Remote CLI Commands through SSH	49
4.7 User Management and Security	49
4.7.1 Authentication, Authorization and Accounting (AAA)	49
4.7.1.1 RADIUS	50
4.7.1.2 TACACS+	50
4.7.1.3 LDAP	50
4.7.2 Secure Shell (SSH)	51
4.7.2.1 Adding a Host and Providing an SSH Key	51
4.7.3 User Accounts	51
4.8 Network Management Interfaces	52
4.8.1 SNMP	52
4.8.1.1 Standard MIBs	52
4.8.1.2 Private MIB	54
4.8.1.3 Traps	54
4.8.1.4 Configuring SNMP	54
4.8.1.5 Configuring an SNMPv3 User	55
4.8.1.6 Configuring an SNMP notifications	55
4.8.2 MLNX-OS XML API	56
5 Ethernet Switching	58
5.1 Interface	58
5.1.1 Break-Out Cables	58
5.1.1.1 Changing the Module Type to a Split Mode	60
5.1.1.2 Returning to the Non-Split Mode	61
5.2 Link Aggregation Group (LAG)	61
5.2.1 Configuring Static Link Aggregation Group (LAG)	61
5.2.2 Configuring Link Aggregation Control Protocol (LACP)	62
5.3 VLANs	62
5.3.1 Configuring Access Mode and Assigning Port VLAN ID (PVID) to Interfaces	63
5.3.2 Configuring Hybrid Mode and Assigning Port VLAN ID (PVID) to Interfaces	63
5.3.3 Configuring Trunk Mode VLAN Membership	64
5.3.4 Configuring Hybrid Mode VLAN Membership	65
5.4 MAC Address Table	65
5.4.1 Configuring Unicast Static MAC Address	65
5.5 Spanning Tree	66
5.5.1 Rapid Spanning Tree Protocol	66
5.5.2 RSTP Enhancements	66
5.5.3 Disabling Spanning Tree Protocol	67
5.6 IGMP Snooping	67
5.6.1 Configuring IGMP Snooping	67
5.6.2 Defining a Multicast Router Port on a VLAN	68
5.7 Link Layer Discovery Protocol (LLDP)	69
5.7.1 Configuring LLDP	69
5.8 Quality of Service (QoS)	70
5.8.1 Priority Flow Control and Link Level Flow Control	70
5.8.2 Enhanced Transmission Selection (ETS)	72
5.9 Access Control List	73
5.9.1 Configuring Access Control List	74
5.9.2 ACL Actions	74
6 IP Routing	75
6.1 General	75
6.1.1 Interface VLAN	75
6.1.2 Equal Cost Multi-Path Routing (ECMP)	75

Match case Limit results 1 per page

Rev 1.6.2

Mellanox Technologies

5.9.1

Configuring Access Control List

Access Control List (ACL) is configured by the user and is applied to a port once the ACL search

engine matches search criteria with a received packet.



To configure ACL:

Step 1.

Step 2.

Enter config mode. Run:

Step 3.

Create a MAC / IPv4 ACL (access-list) entity.

Step 4.

Add a MAC / IP rules to the appropriate access-list.

Step 5.

Bind the created access-list to an interface (slot/port or port-channel).

5.9.2

ACL Actions

An ACL action is a set of actions can be activated in case the packet hits the ACL rule.



To modify the VLAN tag of the egress traffic as part of the ACL “permit” rule:

Step 1.

Create access-list action profile:

a.Create an action access-list profile using the command

access-list action <action-profile-

name>

b.Add rule to map a VLAN using the command

vlan-map <vlan-id>

within the action profile config-

uration mode

Step 2.

Create an access-list and bind the action rule:

a.Create an access-list profile using the command

ipv4/mac access-list

b.Add access list rule using the command

deny/permit

(action <action profile name>)

Step 3.

Bind the access-list to an interface using the command

ipv4/mac port access-group

switch > enable

switch # configure terminal

switch (config) mac access-list mac-acl

switch (config mac access-list mac-acl) #

switch (config mac access-list mac-acl)seq-number 10 deny 0a:0a:0a:0a:0a:0a mask

ff:ff:ff:ff:ff:ff any vlan 6 cos 2 protocol 80

switch (config mac access-list mac-acl) #

switch (config)

switch (config) # interface ethernet 1/1

switch (config interface ethernet 1/1) # mac port access-group mac-acl

Create an action profile and add vlan mapping action:

switch (config)#access-list action my-action

switch (config access-list action my-action) # vlan-map 20

switch (config access-list action my-action) #exit

Create an access list and bind rules:

switch (config)# mac access-list my-list

switch (config mac access-list my-list)# permit any any action my-action

switch (config mac access-list my-list)# exit

Bind an access-list to a port:

Switch (config)# interface ethernet 1/1

Switch (config interface ethernet 1/1)# mac port access-group my-list