Home » Netgear Manuals » Hubs & Switches » Netgear XCM8806 Chassis » Manual Viewer

Netgear XCM8806 Chassis User Manual - Page 319

ACL Evaluation Precedence, Rule Evaluation

View all Netgear XCM8806 Chassis manuals

Add to My Manuals
Save this manual to your list of manuals

Page 319 highlights

NETGEAR 8800 User Manual To delete a zone use the following command: delete access-list zone You must remove all applications from a zone before you can delete the zone. You cannot delete the default zones. ACL Evaluation Precedence This section describes the precedence for evaluation among ACL rules for the NETGEAR 8800 series switches. In many cases there will be more than one ACL rule entry for an interface. This section describes how multiple rule entries are evaluated. Multiple rule entries do consume hardware resources. If you find that your situation runs up against those limits, there are steps you can take to conserve resources by modifying the order of the ACL entries that you create. For details, see ACL Mechanisms on page 325. The section describes the following topics: • Rule Evaluation on page 319 • Precedence of Dynamic ACLs on page 320 • Precedence of L2/L3/L4 ACL Entries on page 320 • Precedence Among Interface Types on page 320 • Precedence with Egress ACLs on page 320 • Redundant Rules on page 320 Rule Evaluation When there are multiple rule entries applied to an interface, evaluation proceeds as follows: • A packet is compared to all the rule entry match conditions at the same time. • For each rule where the packet matches all the match conditions, the action and any action modifiers in the then statement are taken. If there are any actions or action modifiers that conflict (deny vs. permit, etc), only the one with higher precedence is taken. • If a packet matches no rule entries in the ACL, it is permitted. Often there will be a lowest-precedence rule entry that matches all packets. This entry will match any packets not otherwise processed, so that the user can specify an action to overwrite the default permit action. This lowest-precedence rule entry is usually the last entry in the ACL policy file applied to the interface. Note: When a packet matches more than one rule entry, the highest precedence conflicting action is taken, so you can use the precedence to determine if a packet is permitted or denied. However, incrementing a counter is not a conflicting action, so a packet that matches more that one rule that increments a common Chapter 13. ACLs | 319

Section	Page
NETGEAR 8800 User Manual	1
Contents	3
1. Overview	22
Introduction	22
Terminology	23
Conventions	23
Platform-Naming Conventions	23
Text Conventions	23
Related Publications	24
2. Getting Started	27
Overview	27
Software Required	28
Logging in to the Switch	28
Understanding the Command Syntax	29
Syntax Helper	30
Command Shortcuts	30
Object Names	31
Symbols	32
Limits	33
Port Numbering	34
Numerical Ranges	34
Line-Editing Keys	34
Command History	35
Common Commands	35
Accessing the Switch for the First Time	38
Safe Defaults Setup Method	38
Configuring Management Access	39
Account Access Levels	40
Configuring the Banner	40
Startup Screen and Prompt Text	41
Default Accounts	43
Creating a Management Account	43
Failsafe Accounts	44
Managing Passwords	45
Applying a Password to the Default Account	45
Applying Security to Passwords	46
Displaying Passwords	47
Access to Both MSM/MM Console Ports	47
Domain Name Service Client Services	47
Checking Basic Connectivity	48
Ping	48
Traceroute	50
Displaying Switch Information	50
3. Managing the Switch	51
Overview	51
Understanding the XCM8800 Shell	52
Using the Console Interface	52
Using the 10/100 Ethernet Management Port	53
Authenticating Users	53
RADIUS Client	54
TACACS+	54
Management Accounts	54
Using Telnet	54
About the Telnet Client	55
About the Telnet Server	55
Connecting to Another Host Using Telnet	56
Configuring Switch IP Parameters	56
Configuring Telnet Access to the Switch	58
Disconnecting a Telnet Session	62
Using Secure Shell 2	62
Using the Trivial File Transfer Protocol	62
Connecting to Another Host Using TFTP	63
Understanding System Redundancy	64
Node Election	65
Replicating Data Between Nodes	66
Viewing Node Status	68
Understanding Hitless Failover Support	69
Protocol Support for Hitless Failover	69
Hitless Failover Caveats	72
Understanding Power Supply Management	72
Using Power Supplies	72
Displaying Power Supply Information	76
Using the Simple Network Management Protocol	76
Enabling and Disabling SNMPv1/v2c and SNMPv3	77
Accessing Switch Agents	78
Supported MIBs	78
Configuring SNMPv1/v2c Settings	79
Displaying SNMP Settings	80
SNMPv3	81
Message Processing	82
SNMPv3 Security	82
SNMPv3 MIB Access Control	86
SNMPv3 Notification	87
Using the Simple Network Time Protocol	89
Configuring and Using SNTP	90
SNTP Example	94
4. Managing the XCM8800 Software	95
Overview	95
Using the XCM8800 File System	96
Moving or Renaming Files on the Switch	97
Copying Files on the Switch	98
Displaying Files on the Switch	100
Transferring Files to and from the Switch	101
Deleting Files from the Switch	103
Managing the Configuration File	104
Managing XCM8800 Processes	106
Displaying Process Information	106
Stopping a Process	107
Starting a Process	108
Understanding Memory Protection	109
Monitoring CPU Utilization	110
Disabling CPU Monitoring	110
Enabling CPU Monitoring	110
Displaying CPU Utilization History	110
5. Configuring Slots and Ports on a Switch	113
Overview	113
Configuring Slots on NETGEAR 8800 Switches	114
Details on I/O Ports	115
Configuring Ports on a Switch	116
Port Numbering	116
Enabling and Disabling Switch Ports	117
Configuring Switch Port Speed and Duplex Setting	117
Jumbo Frames	122
Guidelines for Jumbo Frames	122
Enabling Jumbo Frames per Port	122
Enabling Jumbo Frames	122
Path MTU Discovery	123
IP Fragmentation with Jumbo Frames	123
IP Fragmentation within a VLAN	124
Link Aggregation on the Switch	124
Link Aggregation Overview	125
Dynamic Versus Static Load Sharing	126
Load-Sharing Algorithms	126
LACP	127
Health Check Link Aggregation	130
Guidelines for Load Sharing	131
Configuring Switch Load Sharing	132
Load-Sharing Examples	135
Displaying Switch Load Sharing	137
Mirroring	138
Guidelines for Mirroring	138
Mirroring Rules and Restrictions	140
Mirroring Examples	140
Verifying the Mirroring Configuration	141
Remote Mirroring	141
Configuration Details	142
Guidelines	144
Use of Remote Mirroring with Redundancy Protocols	144
Remote Mirroring with STP	144
Software-Controlled Redundant Port and Smart Redundancy	146
Guidelines for Software-Controlled Redundant Ports and Port Groups	147
Configuring Software-Controlled Redundant Ports	147
Verifying Software-Controlled Redundant Port Configurations	148
Displaying Port Information	148
6. LLDP	150
Overview	150
LLDP Packets	152
Transmitting LLDP Messages	153
Receiving LLDP Messages	154
Managing LLDP	155
Supported TLVs	156
Mandatory TLVs	158
Optional TLVs	159
Configuring LLDP	164
Enabling and Disabling LLDP	165
Configuring the System Description TLV Advertisement	165
Configuring LLDP Timers	165
Configuring SNMP for LLDP	166
Configuring Optional TLV Advertisements	167
Unconfiguring LLDP	170
Displaying LLDP Settings	170
Displaying LLDP Port Configuration Information and Statistics	170
Displaying LLDP Information Detected from Neighboring Ports	171
7. PoE	172
Overview	172
NETGEAR Networks PoE Devices	172
Summary of PoE Features	173
Power Checking for PoE Module	173
Power Delivery	174
Enabling PoE to the Switch	174
Power Reserve Budget	174
PD Disconnect Precedence	175
Port Disconnect or Fault	176
Port Power Reset	177
PoE Usage Threshold	177
Legacy Devices	178
PoE Operator Limits	178
Configuring PoE	179
Enabling Inline Power	179
Reserving Power	180
Setting the Disconnect Precedence	180
Configuring the Usage Threshold	182
Configuring the Switch to Detect Legacy PDs	182
Configuring the Operator Limit	183
Configuring PoE Port Labels	183
Power Cycling Connected PDs	183
Adding an XCM88P Daughter Card to an Existing Configuration	184
Displaying PoE Settings and Statistics	186
Clearing Statistics	186
Displaying System Power Information	186
Displaying Slot PoE Information on NETGEAR 8800 Switches	187
Displaying Port PoE Information	188
8. Status Monitoring and Statistics	192
Overview	192
Viewing Port Statistics	193
Viewing Port Errors	193
Using the Port Monitoring Display Keys	195
Viewing VLAN Statistics	196
Performing Switch Diagnostics	197
Running Diagnostics	197
Observing LED Behavior During a Diagnostic Test	199
Displaying Diagnostic Test Results	201
Using the System Health Checker	202
Understanding the System Health Checker	202
Enabling Diagnostic Packets on NETGEAR 8800 Switches	203
Configuring Diagnostic Packets on the Switch	203
Disabling Diagnostic Packets on the Switch	203
Displaying the System Health Check Setting	203
System Health Check Examples: Diagnostics	204
Setting the System Recovery Level	205
Configuring Software Recovery	205
Configuring Module Recovery	206
Viewing Fan Information	212
Viewing the System Temperature	213
System Temperature Output	213
Power Supply Temperature	214
Using the Event Management System/Logging	214
Sending Event Messages to Log Targets	215
Filtering Events Sent to Targets	216
Displaying Real-Time Log Messages	225
Displaying Event Logs	226
Uploading Event Logs	226
Displaying Counts of Event Occurrences	227
Displaying Debug Information	228
Logging Configuration Changes	228
Using sFlow	228
Sampling Mechanisms	229
Configuring sFlow	229
Additional sFlow Configuration Options	231
sFlow Configuration Example	232
Displaying sFlow Information	233
Using RMON	233
About RMON	233
Supported RMON Groups of the Switch	234
Configuring RMON	236
Event Actions	237
Displaying RMON Information	237
SMON	237
9. VLANs	238
Overview	238
Benefits	238
Virtual Routers and VLANs	239
Types of VLANs	239
Port-Based VLANs	240
Tagged VLANs	242
Protocol-Based VLANs	244
Precedence of Tagged Packets Over Protocol Filters	246
Default VLAN	246
VLAN Names	246
Renaming a VLAN	247
Configuring VLANs on the Switch	247
Creating and Configuring VLANs	247
Enabling and Disabling VLANs	248
VLAN Configuration Examples	249
Displaying Protocol Information	251
Private VLANs	251
PVLAN Overview	252
Configuring PVLANs	260
Displaying PVLAN Information	263
PVLAN Configuration Example 1	264
PVLAN Configuration Example 2	267
10. FDB	271
Overview	271
FDB Contents	272
How FDB Entries Get Added	272
FDB Entry Types	272
Managing the FDB	274
Adding a Permanent Static Entry	274
Configuring the FDB Aging Time	275
Adding Virtual MAC Entries from IP ARP Packets	275
Clearing FDB Entries	275
Managing Multiple Port FDB Entries	276
Supporting Remote Mirroring	276
Managing FDB MAC Address Tracking	277
Displaying FDB Entries and Statistics	278
Displaying FDB Entries	278
Displaying FDB Statistics	279
MAC-Based Security	279
Managing MAC Address Learning	280
Managing Egress Flooding	281
Displaying Learning and Flooding Settings	282
Creating Blackhole FDB Entries	283
Multicast FDB with Multiport Entry	283
11. Virtual Routers	285
Overview	285
Types of Virtual Routers	286
User Virtual Router Configuration Domain	287
Managing Virtual Routers	288
Creating and Deleting User Virtual Routers	288
Changing the VR Context	289
Adding and Deleting Routing Protocols	289
Configuring Ports to Use One or More Virtual Routers	290
Displaying Ports and Protocols	291
Configuring the Routing Protocols and VLANs	292
Virtual Router Configuration Example	292
12. Policy Manager	294
Overview	294
Creating and Editing Policies	294
Using the Edit Command	295
Using a Separate Machine	295
Checking Policies	296
Refreshing Policies	296
Applying Policies	297
Applying ACL Policies	297
Applying Routing Policies	297
13. ACLs	299
Overview	299
ACL Rule Syntax	300
Matching All Egress Packets	302
Comments and Descriptions in ACL Policy Files	302
Types of Rule Entries	303
Match Conditions	303
Actions	304
Action Modifiers	304
ACL Rule Syntax Details	306
Layer-2 Protocol Tunneling ACLs	312
Dynamic ACLs	313
Creating the Dynamic ACL Rule	313
Configuring the ACL Rule on the Interface	314
Configuring ACL Priority	315
ACL Evaluation Precedence	319
Applying ACL Policy Files	321
Displaying and Clearing ACL Counters	321
Example ACL Rule Entries	322
ACL Mechanisms	325
ACL Slices and Rules	325
ACL Counters—Shared and Dedicated	337
Policy-Based Routing	337
Layer 3 Policy-Based Redirect	338
Layer 2 Policy-Based Redirect	339
Policy-Based Redirection Redundancy	341
ACL Troubleshooting	344
14. Routing Policies	346
Overview	346
Routing Policy File Syntax	346
Policy Match Type	348
Policy Match Conditions	348
Policy Action Statements	351
Applying Routing Policies	352
Policy Examples	353
Translating an access profile to a policy	353
Translating a Route Map to a Policy	354
15. QoS	357
Overview	357
Applications and Types of QoS	359
Traffic Groups	361
Introduction to Rate Limiting, Rate Shaping, and Scheduling	366
Meters	369
QoS Profiles	369
Multicast Traffic Queues	371
Egress Port Rate Limiting and Rate Shaping	371
Configuring QoS	371
Platform Configuration Procedures	372
Selecting the QoS Scheduling Method	373
Configuring 802.1p or DSCP Replacement	374
Configuring Egress QoS Profile Rate Shaping	378
Configuring Egress Port Rate Limits	379
Configuring Traffic Groups	380
Creating and Managing Meters	383
Adjusting the Byte Count Used to Calculate Traffic Rates	384
Controlling Flooding, Multicast, and Broadcast Traffic on Ingress Ports	385
Displaying QoS Configuration and Performance	385
Displaying Traffic Group Configuration Data	385
Displaying the Rate-Limiting and Rate-Shaping Configuration	386
Displaying Performance Statistics	387
16. Network Login	389
Overview	389
Web-Based, MAC-Based, and 802.1x Authentication	390
Multiple Supplicant Support	392
Campus and ISP Modes	392
Network Login and Hitless Failover	393
Configuring Network Login	394
Enabling or Disabling Network Login on the Switch	395
Enabling or Disabling Network Login on a Specific Port	395
Configuring the Move Fail Action	395
Displaying Network Login Settings	396
Exclusions and Limitations	396
Authenticating Users	397
Local Database Authentication	397
802.1x Authentication	402
Interoperability Requirements	402
Enabling and Disabling 802.1x Network Login	403
802.1x Network Login Configuration Example	404
Configuring Guest VLANs	405
Post-authentication VLAN Movement	408
802.1x Authentication and Network Access Protection	408
Web-Based Authentication	412
Enabling and Disabling Web-Based Network Login	413
Configuring the Base URL	413
Configuring the Redirect Page	413
Configuring Proxy Ports	414
Configuring Session Refresh	414
Configuring Logout Privilege	415
Configuring the Login Page	415
Customizable Authentication Failure Response	417
Customizable Graphical Image in Logout Popup Window	417
Web-Based Network Login Configuration Example	418
Web-Based Authentication User Login	419
MAC-Based Authentication	421
Enabling and Disabling MAC-Based Network Login	422
Associating a MAC Address to a Specific Port	422
Adding and Deleting MAC Addresses	423
Displaying the MAC Address List	423
Configuring Reauthentication Period	424
Secure MAC Configuration Example	424
MAC-Based Network Login Configuration Example	425
Additional Network Login Configuration Details	425
Configuring Network Login MAC-Based VLANs	426
Configuring Dynamic VLANs for Network Login	428
Configuring Network Login Port Restart	431
Authentication Failure and Services Unavailable Handling	432
17. Security	434
Overview	434
Safe Defaults Mode	436
MAC Security	436
Limiting Dynamic MAC Addresses	437
MAC Address Lockdown	439
MAC Address Lockdown with Timeout	440
DHCP Server	445
Enabling and Disabling DHCP	445
Configuring the DHCP Server	445
Displaying DHCP Information	446
IP Security	446
DHCP Snooping and Trusted DHCP Server	447
Source IP Lockdown	454
ARP Learning	456
Gratuitous ARP Protection	458
ARP Validation	460
Denial of Service Protection	461
Configuring Simulated Denial of Service Protection	462
Configuring Denial of Service Protection	463
Protocol Anomaly Protection	464
Flood Rate Limitation	464
Authenticating Management Sessions Through the Local Database	465
Authenticating Management Sessions Through a TACACS+ Server	465
Configuring the TACACS+ Client for Authentication and Authorization	466
Configuring the TACACS+ Client for Accounting	468
Authenticating Management Sessions Through a RADIUS Server	471
How NETGEAR Switches Work with RADIUS Servers	472
Configuration Overview for Authenticating Management Sessions	473
Authenticating Network Login Users Through a RADIUS Server	474
How Network Login Authentication Differs from Management Session Authentication	474
Configuration Overview for Authenticating Network Login Users	475
Configuring the RADIUS Client	475
Configuring the RADIUS Client for Authentication and Authorization	475
Configuring the RADIUS Client for Accounting	477
RADIUS Server Configuration Guidelines	479
Configuring User Authentication (Users File)	479
Configuring the Dictionary File	489
Configuring Command Authorization (RADIUS Profiles)	489
Additional RADIUS Configuration Examples	492
Implementation Notes for Specific RADIUS Servers	496
Setting Up Open LDAP	498
Configuring a Windows XP Supplicant for 802.1x Authentication	503
Hyptertext Transfer Protocol	504
Secure Shell 2	504
Enabling SSH2 for Inbound Switch Access	505
Viewing SSH2 Information	507
Using ACLs to Control SSH2 Access	508
Using SCP2 from an External SSH2 Client	510
Understanding the SSH2 Client Functions on the Switch	511
Using SFTP from an External SSH2 Client	512
Secure Socket Layer	513
Enabling and Disabling SSL	514
Creating Certificates and Private Keys	515
Displaying SSL Information	517
18. STP	519
Overview	520
Compatibility Between IEEE 802.1D-1998 and IEEE 802.1D-2004 STP Bridges	520
BPDU Restrict on Edge Safeguard	524
Spanning Tree Domains	526
Member VLANs	527
STPD Modes	529
Encapsulation Modes	530
STP States	531
Binding Ports	532
Rapid Root Failover	534
STPD BPDU Tunneling	535
STP and Hitless Failover—Modular Switches Only	537
STP Configurations	538
Basic STP Configuration	538
Multiple STPDs on a Port	540
VLANs Spanning Multiple STPDs	541
EMISTP Deployment Constraints	542
Per VLAN Spanning Tree	544
STPD VLAN Mapping	545
Native VLAN	545
Rapid Spanning Tree Protocol	545
RSTP Concepts	545
RSTP Operation	550
Multiple Spanning Tree Protocol	557
MSTP Concepts	557
MSTP Operation	567
STP and Network Login	569
STP Rules and Restrictions	571
Configuring STP on the Switch	572
Displaying STP Settings	573
STP Configuration Examples	575
Basic 802.1D Configuration Example	575
EMISTP Configuration Example	576

Match case Limit results 1 per page

Chapter 13.

ACLs

319

NETGEAR 8800 User Manual

To delete a zone use the following command:

delete access-list zone <name>

You must remove all applications from a zone before you can delete the zone. You cannot

delete the default zones.

ACL Evaluation Precedence

This section describes the precedence for evaluation among ACL rules for the NETGEAR

8800 series switches. In many cases there will be more than one ACL rule entry for an

interface. This section describes how multiple rule entries are evaluated.

Multiple rule entries do consume hardware resources. If you find that your situation runs up

against those limits, there are steps you can take to conserve resources by modifying the

order of the ACL entries that you create. For details, see

ACL Mechanisms

on page 325.

The section describes the following topics:

•

Rule Evaluation

on page 319

•

Precedence of Dynamic ACLs

on page 320

•

Precedence of L2/L3/L4 ACL Entries

on page 320

•

Precedence Among Interface Types

on page 320

•

Precedence with Egress ACLs

on page 320

•

Redundant Rules

on page 320

Rule Evaluation

When there are multiple rule entries applied to an interface, evaluation proceeds as follows:

•

A packet is compared to all the rule entry match conditions at the same time.

•

For each rule where the packet matches all the match conditions, the action and any

action modifiers in the

then

statement are taken. If there are any actions or action

modifiers that conflict (deny vs. permit, etc), only the one with higher precedence is taken.

•

If a packet matches no rule entries in the ACL, it is permitted.

Often there will be a lowest-precedence rule entry that matches all packets. This entry will

match any packets not otherwise processed, so that the user can specify an action to

overwrite the default permit action. This lowest-precedence rule entry is usually the last entry

in the ACL policy file applied to the interface.

Note:

When a packet matches more than one rule entry, the highest

precedence conflicting action is taken, so you can use the

precedence to determine if a packet is permitted or denied.

However, incrementing a counter is not a conflicting action, so a

packet that matches more that one rule that increments a common