dell ftos 06 acls
DESCRIPTION
06TRANSCRIPT
Dell Force10 FTOS Access Control Lists
Module 6
6-2
Objectives • Understand access control lists
(ACLs), how to configure them, and how to troubleshoot them – MAC ACLs – IP ACLs – VTY ACLs – SNMP ACLs – Loopback ACLs
6-3
Access Control Lists (ACLs)
• FTOS Supports two types of Access Control Lists
• Layer 2: MAC ACLs
• Layer 3: IP ACLs – Specialized Layer 3 ACLs
–VTY ACLs – SNMP ACLs – Loopback ACLs
6-4
MAC ACLs
• Permit or deny traffic based on MAC address
• Standard – Based on source MAC address
• Extended – Based on: – Source MAC address
– Destination MAC address – Ethernet frame type
• Well-known MAC addresses are always permitted
• Implicit permit at the end
• The maximum size of the MAC ACL table is limited by the memory size on each system
6-5
MAC ACLs
• To configure standard MAC ACLs: Force10(conf)# mac access-list standard name
Force10(config-std-macl)# seq number {deny | permit} {any
| mac-address mask} [log] [count {bytes}]
• To configure extended MAC ACLs: Force10(conf)# mac access-list extended name
Force10(config-ext-macl)# seq number {deny | permit} {any
| host mac-address | mac-address mac-address-mask} {any
| host mac-address | mac-address mac-address-mask}
[ethertype operator] [log] [monitor] [count [byte]]
• To apply MAC ACLs: Force10(conf-if)# mac access-group name {in [vlan range]
| out}
• To show a MAC ACL: Force10# show mac accounting access-list name
6-6
IP ACLs
• Permit or deny traffic based on IP address
• Standard – Based on source IP address
• Extended – Based on: – Source IP address – Destination IP address – IP protocol
• Implicit deny at the end – Implicit permit option can also be configured
• The number of ACLs is dependent on the system memory size
6-7
To Configure IP ACLs
• Standard ACL Force10(conf)# ip access-list standard name
Force10(config-std-nacl)# seq number {deny | permit} {any
| host ip-address | ip-address mask} [log] [count [byte]
• Extended ACL Force10(conf)# ip access-list extended name
Force10(config-ext-nacl)# seq number {deny | permit} {ip
| ip-protocol-number | tcp | udp | etc} {any | host ip-
address | ip-address mask} [{eq | gt | etc} port(s)]
{any | host ip-address | ip-address mask} [{eq | gt |
etc} port(s)] [precedence number] [tos number] [log]
[count [byte]
6-8
IP ACLs
• To apply IP ACLs to a physical interface: Force10(conf-if)# ip access-group name {in | out}
[implicit-permit] [vlan {range}]
• ACLs can be applied to a VLAN interface, filtering VLAN traffic on any port in the VLAN. Force10(conf-if-vl)# ip access-group name in [implicit-
permit] {in | out}
• To show an IP ACL: Force10# show ip accounting access-list name
6-9
VTY ACLs
• This is an IP ACL applied to VTY (Telnet) sessions – A Standard IP ACL is used to limit the source IP addresses that can telnet
to the switch
– Local authentication will apply to a user command – Remote authentication will apply directly to VTY lines
• To configure VTY ACLs with local authentication, configure the command: Force10(conf)# user name password word access-class acl-
name
• To configure VTY ACLs with remote authentication, configure the line command: Force10(conf-line-vty)# access-class acl-name
6-10
SNMP & Loopback ACLs IP ACL is applied to SNMP-server:
– Limits the source addresses that can access the Force10 through SNMP
• To configure SNMP ACLs: Force10(conf)# SNMP-server community word {ro | rw} [acl-
name]
IP ACL is applied to Loopback interface:
• Only loopback 0 is supported for Loopback ACL
• Filters traffic that is destined for the CPUs
• Filters ingress & egress traffic
• To configure Loopback ACLs: Force10((conf-if-lo-0)# ip access-group name in
[implicit-permit]
6-11
Troubleshooting: Egress ACLs
• Use Ingress and Egress ACLs to verify whether packet drops are occurring inside the Dell Force10 device – Permit ACLs, with specific entries for the test traffic and count
option, and explicit permit ip any any at the end – Apply same ACL to ingress port and egress port, in and out,
respectively
• Use the IP accounting command for the named ACL to confirm whether traffic is being dropped or not
6-12
Summary • Understand access control lists (ACLs), how to configure them, and how to troubleshoot them – MAC ACLs – IP ACLs – VTY ACLs – SNMP ACLs – Loopback ACLs