Home » TP-Link Manuals » Hubs & Switches » TP-Link TL-SG5426 » Manual Viewer

TP-Link TL-SG5426 User Guide - Page 110

Access Control Lists, Configuring Access Control Lists

UPC - 845973020729

Add to My Manuals
Save this manual to your list of manuals

Page 110 highlights

3 Access Control Lists CLI - This example displays the 802.1X statistics for port 4. Console#show dot1x statistics interface ethernet 1/4 4-86 Eth 1/4 Rx: EAPOL Start 2 EAPOL Logoff 0 EAPOL Invalid 0 EAPOL Total 1007 EAP EAP EAP Resp/Id Resp/Oth LenError 672 0 0 Last EAPOLVer 1 Last EAPOLSrc 00-12-CF-94-34-DE Tx: EAPOL Total 2017 Console# EAP Req/Id 1005 EAP Req/Oth 0 Access Control Lists Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4 protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter incoming packets, first create an access list, add the required rules, and then bind the list to a specific port. Configuring Access Control Lists An ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other more specific criteria. This switch tests ingress or egress packets against the conditions in an ACL one by one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If no rules match for a list of all permit rules, the packet is dropped; and if no rules match for a list of all deny rules, the packet is accepted. Command Usage The following restrictions apply to ACLs: • Each ACL can have up to 32 rules. • The maximum number of ACLs is also 32. • The maximum number of rules that can be bound to the ports is 96 for each of the following list types: MAC ACLs, IP ACLs (including Standard and Extended ACLs). • When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules. Otherwise, the bind operation will fail. • The switch does not support the explicit "deny any any" rule for the egress IP ACL. If these rules are included in ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail. The order in which active ACLs are checked is as follows: 1. User-defined rules in the Egress IP ACL for egress ports. 2. User-defined rules in the Ingress IP ACL for ingress ports. 3-67

Section	Page
Chapter 1: Introduction	26
Key Features	26
Description of Software Features	27
System Defaults	31
Chapter 2: Initial Configuration	34
Connecting to the Switch	34
Configuration Options	34
Required Connections	35
Remote Connections	36
Basic Configuration	36
Console Connection	36
Setting Passwords	37
Setting an IP Address	37
Enabling SNMP Management Access	39
Saving Configuration Settings	41
Managing System Files	53
Displaying Switch Hardware/Software Versions	54
Displaying Bridge Extension Capabilities	56
Setting the Switch’s IP Address	57
Enabling Jumbo Frames	60
Managing Firmware	60
Saving or Restoring Configuration Settings	62
Console Port Settings	64
Telnet Settings	66
Configuring Event Logging	68
Renumbering the System	73
Resetting the System	73
Setting the System Clock	74
Simple Network Management Protocol	76
Setting Community Access Strings	76
Specifying Trap Managers and Trap Types	77
Enabling SNMP Agent Status	78
Configuring SNMPv3 Management Access	79
Configuring SNMPv3 Users	80
Configuring Remote SNMPv3 Users	83
Configuring SNMPv3 Groups	84
Setting SNMPv3 Views	88
User Authentication	89
Configuring User Accounts	89
Configuring Local/Remote Logon Authentication	91
Configuring HTTPS	95
Configuring the Secure Shell	97
Configuring Port Security	102
Configuring 802.1X Port Authentication	103
Access Control Lists	110
Configuring Access Control Lists	110
Binding a Port to an Access Control List	116
Filtering IP Addresses for Management Access	117
Port Configuration	119
Displaying Connection Status	119
Configuring Interface Connections	121
Creating Trunk Groups	123
Setting Broadcast Storm Thresholds	134
Configuring Port Mirroring	136
Configuring Rate Limits	137
Showing Port Statistics	138
Address Table Settings	142
Setting Static Addresses	142
Displaying the Address Table	143
Changing the Aging Time	145
Spanning Tree Algorithm Configuration	145
Displaying Global Settings	148
Configuring Global Settings	150
Displaying Interface Settings	154
Configuring Interface Settings	157
Configuring Multiple Spanning Trees	159
Displaying Interface Settings for MSTP	161
Configuring Interface Settings for MSTP	163
VLAN Configuration	165
IEEE 802.1Q VLANs	165
Configuring IEEE 802.1Q Tunneling	176
Enabling QinQ Tunneling on the Switch	180
Adding an Interface to a QinQ Tunnel	181
Configuring Private VLANs	184
Enabling Private VLANs	184
Configuring Uplink and Downlink Ports	185
Protocol VLANs	185
Class of Service Configuration	187
Layer 2 Queue Settings	187
Layer 3/4 Priority Settings	192
Quality of Service	197
Configuring Quality of Service Parameters	198
Multicast Filtering	205
Layer 2 IGMP (Snooping and Query)	205
IGMP Filtering and Throttling	212
Multicast VLAN Registration	218
Displaying MVR Interface Status	219
Displaying Port Members of Multicast Groups	221
Configuring MVR Interface Status	222
Assigning Static Multicast Groups to Interfaces	223
Configuring Domain Name Service	224
Configuring General DNS Service Parameters	224
Configuring Static DNS Host to Address Entries	226
Displaying the DNS Cache	228
DHCP Snooping	229
DHCP Snooping Configuration	230
DHCP Snooping VLAN Configuration	231
DHCP Snooping Information Option Configuration	231
DHCP Snooping Port Configuration	232
DHCP Snooping Binding Information	233
IP Source Guard	234
IP Source Guard Port Configuration	234
Static IP Source Guard Binding Configuration	235
Dynamic IP Source Guard Binding Information	236
Switch Clustering	237
Cluster Configuration	238
Cluster Member Configuration	239
Cluster Member Information	240
Cluster Candidate Information	241
Chapter 4: Command Line Interface	242
Using the Command Line Interface	242
Accessing the CLI	242
Console Connection	242
Telnet Connection	243
Entering Commands	244
Keywords and Arguments	244
Minimum Abbreviation	244
Command Completion	244
Getting Help on Commands	244
Showing Commands	245
Partial Keyword Lookup	246
Negating the Effect of Commands	246
Using Command History	246
Understanding Command Modes	246
Exec Commands	247
Configuration Commands	248
Command Line Processing	249
Command Groups	250
Line Commands	251
line	252
login	252
password	253
timeout login response	254
exec-timeout	254
password-thresh	255
silent-time	256
databits	256
parity	257
speed	258
stopbits	258
disconnect	259
show line	259
General Commands	260
enable	260
disable	261
configure	262
show history	262
reload	263
end	263
exit	264
quit	264
System Management Commands	265
Device Designation Commands	265
User Access Commands	266
IP Filter Commands	268
Web Server Commands	270
Telnet Server Commands	273
Secure Shell Commands	274
Event Logging Commands	284
SMTP Alert Commands	290
Time Commands	294
System Status Commands	298
Frame Size Commands	304
Flash/File Commands	305
copy	305
delete	308
dir	309
whichboot	310
boot system	310
Authentication Commands	311
Authentication Sequence	311
RADIUS Client	314
TACACS+ Client	318
Port Security Commands	320
802.1X Port Authentication	322
Access Control List Commands	330
IP ACLs	331
MAC ACLs	335
ACL Information	340
SNMP Commands	341
snmp-server	342
show snmp	342
snmp-server community	343
snmp-server contact	344
snmp-server location	344
snmp-server host	345
snmp-server enable traps	347
snmp-server engine-id	348
show snmp engine-id	349
snmp-server view	350
show snmp view	351
snmp-server group	351
show snmp group	353
snmp-server user	354
show snmp user	356
Interface Commands	357
interface	357
description	358
speed-duplex	358
negotiation	359
capabilities	360
flowcontrol	361
shutdown	362
switchport broadcast packet-rate	363
clear counters	363
show interfaces status	364
show interfaces counters	365
show interfaces switchport	366
Mirror Port Commands	368
port monitor	368
show port monitor	369
Rate Limit Commands	370
rate-limit	370
Link Aggregation Commands	371
channel-group	372
lacp	373
lacp system-priority	374
lacp admin-key (Ethernet Interface)	375
lacp admin-key (Port Channel)	376
lacp port-priority	377
show lacp	377
Address Table Commands	381
mac-address-table static	381
clear mac-address-table dynamic	382
show mac-address-table	382
mac-address-table aging-time	383
show mac-address-table aging-time	384
Spanning Tree Commands	385
spanning-tree	386
spanning-tree mode	386
spanning-tree forward-time	387
spanning-tree hello-time	388
spanning-tree max-age	389
spanning-tree priority	389
spanning-tree pathcost method	390
spanning-tree transmission-limit	391
spanning-tree mst-configuration	391
mst vlan	392
mst priority	392
name	393
revision	394
max-hops	394
spanning-tree spanning-disabled	395
spanning-tree cost	395
spanning-tree port-priority	396
spanning-tree edge-port	397
spanning-tree portfast	397
spanning-tree link-type	398
spanning-tree mst cost	399
spanning-tree mst port-priority	400
spanning-tree protocol-migration	401
show spanning-tree	401
show spanning-tree mst configuration	403
VLAN Commands	404
GVRP and Bridge Extension Commands	404
Editing VLAN Groups	408
Configuring VLAN Interfaces	410
Displaying VLAN Information	416
Configuring IEEE 802.1Q Tunneling	417
Configuring Private VLANs	420
Configuring Protocol-based VLANs	422
Priority Commands	425
Priority Commands (Layer 2)	425
Priority Commands (Layer 3 and 4)	430
Quality of Service Commands	433
Example	442
Multicast Filtering Commands	442
IGMP Snooping Commands	442
IGMP Query Commands (Layer 2)	447
Static Multicast Routing Commands	450
IGMP Filtering and Throttling Commands	452
Multicast VLAN Registration Commands	458
IP Interface Commands	464
ip address	464
ip default-gateway	465
ip dhcp restart	495
show ip interface	495

Match case Limit results 1 per page

Access Control Lists

3-67

CLI

– This example displays the 802.1X statistics for port 4.

Access Control Lists

Access Control Lists (ACL) provide packet filtering for IP frames (based on address,

protocol, Layer 4 protocol port number or TCP control code) or any frames (based

on MAC address or Ethernet type). To filter incoming packets, first create an access

list, add the required rules, and then bind the list to a specific port.

Configuring Access Control Lists

An ACL is a sequential list of permit or deny conditions that apply to IP addresses,

MAC addresses, or other more specific criteria. This switch tests ingress or egress

packets against the conditions in an ACL one by one. A packet will be accepted as

soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If no

rules match for a list of all permit rules, the packet is dropped; and if no rules match

for a list of all deny rules, the packet is accepted.

Command Usage

The following restrictions apply to ACLs:

•

Each ACL can have up to 32 rules.

•

The maximum number of ACLs is also 32.

•

The maximum number of rules that can be bound to the ports is 96 for each of the

following list types: MAC ACLs, IP ACLs (including Standard and Extended ACLs).

•

When an ACL is bound to an interface as an egress filter, all entries in the ACL

must be deny rules. Otherwise, the bind operation will fail.

•

The switch does not support the explicit “deny any any” rule for the egress IP ACL.

If these rules are included in ACL, and you attempt to bind the ACL to an interface

for egress checking, the bind operation will fail.

The order in which active ACLs are checked is as follows:

User-defined rules in the Egress IP ACL for egress ports.

User-defined rules in the Ingress IP ACL for ingress ports.

Console#show dot1x statistics interface ethernet 1/4

4-86

Eth 1/4

Rx: EAPOL

EAPOL

EAP

Start

Logoff

Invalid

Total

Resp/Id

Resp/Oth LenError

1007

672

Last

EAPOLVer

EAPOLSrc

00-12-CF-94-34-DE

Tx: EAPOL

EAP

Total

Req/Id

Req/Oth

2017

1005

Console#