User`s manual

User’s Manual 161
dot1x operation-mode Allows single or multiple hosts on an dot1x port IC
dot1x re-authenticate Forces re-authentication on specific ports PE
dot1x re-authentication Enables re-authentication for all ports GC
dot1x timeout quiet-period Sets the time that a switch port waits after the Max Request Count has
been exceeded before attempting to acquire a new client
GC
dot1x timeout re-
authperiod
Sets the time period after which a connected client must be re-
authenticated
GC
dot1x timeout tx-period Sets the time period during an authentication session that the switch waits
before re-transmitting an EAP packet
GC
show dot1x Shows all dot1x related information PE
15.5 Access Control List Commands
Access Control Lists (ACL) provide packet filtering for IP frames (based on address, protocol, Layer 4
protocol port number or TCP control code) or any frames (based on MAC address or Ethernet type). To filter
packets, first create an access list, add the required rules, specify a mask to modify the precedence in which
the rules are checked, and then bind the list to a specific port.
An ACL is a sequential list of permit or deny conditions that apply to IP addresses, MAC addresses, or other
more specific criteria. This switch tests ingress or egress packets against the conditions in an ACL one by
one. A packet will be accepted as soon as it matches a permit rule, or dropped as soon as it matches a deny
rule. If no rules match for a list of all permit rules, the packet is dropped; and if no rules match for a list of all
deny rules, the packet is accepted.
There are three filtering modes:
Standard IP ACL mode (STD-ACL) filters packets based on the source IP address.
Extended IP ACL mode (EXT-ACL) filters packets based on source or destination IP address, as well as
protocol type and protocol port number. If the TCP protocol is specified, then you can also filter packets
based on the TCP control code.
MAC ACL mode (MAC-ACL) filters packets based on the source or destination MAC address and the
Ethernet frame type (RFC 1060).
The following restrictions apply to ACLs:
This switch supports ACLs for both ingress and egress filtering. You can only bind one IP ACL and one
MAC ACL to any port for ingress filtering, and one IP ACL and one MAC ACL to any port for egress
filtering. In other words, only four ACLs can be bound to an interface – Ingress IP ACL, Egress IP ACL,
Ingress MAC ACL and Egress MAC ACL.
When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules.
Otherwise, the bind operation will fail.
Each ACL can have up to 32 rules.
The maximum number of ACLs is also 32.
The average number of rules bound the ports should not exceed 20.