Reference Guide
Table Of Contents
- About this Guide
- Configuration Fundamentals
- Getting Started
- System Management
- Configure Privilege Levels
- Configure Logging
- Log Messages in the Logging Buffer
- Disable System Logging
- Send System Messages to a Syslog Server
- Change System Logging Settings
- Display the Logging Buffer and the Logging Configuration
- Configure a UNIX Logging Facility Level
- Synchronize Log Messages
- Enable Timestamp on Syslog Messages
- File Transfer Services
- Terminal Lines
- Time out of EXEC Privilege Mode
- Telnet to Another Network Device
- Lock CONFIGURATION mode
- Recovering from a Forgotten Password
- Recovering from a Failed Start
- 802.1ag
- Ethernet CFM
- Maintenance Domains
- Maintenance Points
- Maintenance End Points
- Implementation Information
- Configure CFM
- Enable Ethernet CFM
- Create a Maintenance Domain
- Create a Maintenance Association
- Create Maintenance Points
- Continuity Check Messages
- Loopback Message and Response
- Linktrace Message and Response
- Enable CFM SNMP Traps
- Display Ethernet CFM Statistics
- 802.3ah
- 802.1X
- Protocol Overview
- Configuring 802.1X
- Important Points to Remember
- Enabling 802.1X
- Configuring Request Identity Re-transmissions
- Forcibly Authorize or Unauthorize a Port
- Re-Authenticating a Port
- Configuring Timeouts
- Dynamic VLAN Assignment with Port Authentication
- Guest and Authentication-Fail VLANs
- Multi-Host Authentication
- Multi-Supplicant Authentication
- MAC Authentication Bypass
- Dynamic CoS with 802.1X
- IP Access Control Lists (ACL), Prefix Lists, and Route-maps
- Overview
- IP Access Control Lists (ACLs)
- IP Fragment Handling
- Configure a standard IP ACL
- Configure an extended IP ACL
- Configure Layer 2 and Layer 3 ACLs on an Interface
- Assign an IP ACL to an Interface
- Configure Ingress ACLs
- Configure Egress ACLs
- Configure ACLs to Loopback
- IP Prefix Lists
- ACL Resequencing
- Route Maps
- Important Points to Remember
- Bidirectional Forwarding Detection
- Protocol Overview
- Important Points to Remember
- Configure Bidirectional Forwarding Detection
- Border Gateway Protocol IPv4 (BGPv4)
- Protocol Overview
- BGP Attributes
- Multiprotocol BGP
- Implement BGP with FTOS
- Configuration Information
- BGP Configuration
- Defaults
- Configuration Task List for BGP
- Enable BGP
- Configure AS4 Number Representations
- Configure Peer Groups
- BGP fast fall-over
- Configure passive peering
- Maintain existing AS numbers during an AS migration
- Allow an AS number to appear in its own AS path
- Enable graceful restart
- Filter on an AS-Path attribute
- Redistribute routes
- Configure IP community lists
- Manipulate the COMMUNITY attribute
- Change MED attribute
- Change LOCAL_PREFERENCE attribute
- Change NEXT_HOP attribute
- Change WEIGHT attribute
- Enable multipath
- Filter BGP routes
- Configure BGP route reflectors
- Aggregate routes
- Configure BGP confederations
- Enable route flap dampening
- Change BGP timers
- BGP neighbor soft-reconfiguration
- Route map continue
- MBGP Configuration
- BGP Regular Expression Optimization
- Retain NH in BGP Advertisement
- Debug BGP
- Sample Configurations
- Content Addressable Memory
- Content Addressable Memory
- CAM Profiles
- Microcode
- CAM Profiling for ACLs
- Boot Behavior
- When to Use CAM Profiling
- Important Points to Remember
- Select CAM Profiles
- CAM Allocation
- Test CAM Usage
- View CAM Profiles
- View CAM-ACL settings
- View CAM Usage
- Configuring IPv4Flow Sub-partitions
- Configuring Ingress Layer 2 ACL Sub-partitions
- Return to the Default CAM Configuration
- CAM Optimization
- Applications for CAM Profiling
- Troubleshoot CAM Profiling
- Configuration Replace and Rollback
- Archived Files
- Configuring Configuration Replace and Rollback
- Important Points to Remember
- Enable the Archive Service
- Archive a Configuration File
- Replace the Current Running Configuration
- Roll Back to the Previous Configuration
- Configure an Archive File Maximum
- Configure Auto-archive
- Copy and Delete an Archive File
- View and Edit the Contents of an Archive File
- Dynamic Host Configuration Protocol
- Protocol Overview
- Implementation Information
- Configuration Tasks
- Configure the System to be a DHCP Server
- Configure the System to be a Relay Agent
- Configure Secure DHCP
- Equal Cost Multi-Path
- Force10 Resilient Ring Protocol
- Force10 Service Agent
- Implementation Information
- Configure Force10 Service Agent
- Enable Force10 Service Agent
- Specify an SMTP Server for FTSA
- Providing an Administrator E-mail Address
- FTSA Messaging Service
- FTSA Message Types
- FTSA Policies
- Debug FTSA
- GARP VLAN Registration Protocol
- High Availability
- Internet Group Management Protocol
- IGMP Implementation Information
- IGMP Protocol Overview
- Configuring IGMP
- Viewing IGMP Enabled Interfaces
- Selecting an IGMP Version
- Viewing IGMP Groups
- Adjusting Timers
- Configuring a Static IGMP Group
- Enabling IGMP Immediate-leave
- IGMP Snooping
- Fast Convergence after MSTP Topology Changes
- Designating a Multicast Router Interface
- Interfaces
- Basic Interface Configuration:
- Advanced Interface Configuration:
- Interface Types
- View Basic Interface Information
- Enable a Physical Interface
- Physical Interfaces
- Management Interfaces
- VLAN Interfaces
- Loopback Interfaces
- Null Interfaces
- Port Channel Interfaces
- Port channel definition and standards
- Port channel benefits
- Port channel implementation
- 10/100/1000 Mbps interfaces in port channels
- Configuration task list for port channel interfaces
- Create a port channel
- Add a physical interface to a port channel
- Reassign an interface to a new port channel
- Configure the minimum oper up links in a port channel (LAG)
- Add or remove a port channel from a VLAN
- Assign an IP address to a port channel
- Delete or disable a port channel
- Load balancing through port channels
- E-Series load-balancing
- IPv4, IPv6, and non-IP traffic handling on the E-Series
- C-Series and S-Series load-balancing
- Hash algorithm
- Bulk Configuration
- Interface Range Macros
- Monitor and Maintain Interfaces
- Link Debounce Timer
- Link Dampening
- Ethernet Pause Frames
- Configure MTU Size on an Interface
- Port-pipes
- Auto-Negotiation on Ethernet Interfaces
- View Advanced Interface Information
- IPv4 Addressing
- IP Addresses
- Directed Broadcast
- Resolution of Host Names
- ARP
- ARP Learning via Gratuitous ARP
- ARP Learning via ARP Request
- Configurable ARP Retries
- ICMP
- UDP Helper
- Configuring UDP Helper
- Important Points to Remember about UDP Helper
- Enabling UDP Helper
- Configuring a Broadcast Address
- Configurations Using UDP Helper
- Troubleshooting UDP Helper
- IPv6 Addressing
- Protocol Overview
- Implementing IPv6 with FTOS
- ICMPv6
- Path MTU Discovery
- IPv6 Neighbor Discovery
- QoS for IPv6
- IPv6 Multicast
- SSH over an IPv6 Transport
- Configuration Task List for IPv6
- Change your CAM-Profile on an E-Series system
- Adjust your CAM-Profile on an C-Series or S-Series
- Assign an IPv6 Address to an Interface
- Assign a Static IPv6 Route
- Telnet with IPv6
- SNMP over IPv6
- Show IPv6 Information
- Show an IPv6 Interface
- Show IPv6 Routes
- Show the Running-Configuration for an Interface
- Clear IPv6 Routes
- Intermediate System to Intermediate System
- Link Aggregation Control Protocol
- Layer 2
- Managing the MAC Address Table
- MAC Learning Limit
- mac learning-limit dynamic
- mac learning-limit station-move
- mac learning-limit no-station-move
- mac learning-limit sticky
- Displaying MAC Learning-Limited Interfaces
- Learning Limit Violation Actions
- Station Move Violation Actions
- Recovering from Learning Limit and Station Move Violations
- Per-VLAN MAC Learning Limit
- NIC Teaming
- Microsoft Clustering
- Configuring Redundant Pairs
- Restricting Layer 2 Flooding
- Far-end Failure Detection
- Link Layer Discovery Protocol
- 802.1AB (LLDP) Overview
- Optional TLVs
- TIA-1057 (LLDP-MED) Overview
- Configuring LLDP
- Important Points to Remember
- CONFIGURATION versus INTERFACE Configurations
- Enabling LLDP
- Advertising TLVs
- Viewing the LLDP Configuration
- Viewing Information Advertised by Adjacent LLDP Agents
- Configuring LLDPDU Intervals
- Configuring Transmit and Receive Mode
- Configuring a Time to Live
- Debugging LLDP
- Relevant Management Objects
- Multicast Listener Discovery
- Multicast Source Discovery Protocol
- Protocol Overview
- Implementation Information
- Configuring Multicast Source Discovery Protocol
- Enable MSDP
- Manage the Source-active Cache
- Accept Source-active Messages that fail the RFP Check
- Limit the Source-active Messages from a Peer
- Prevent MSDP from Caching a Local Source
- Prevent MSDP from Caching a Remote Source
- Prevent MSDP from Advertising a Local Source
- Log Changes in Peership States
- Terminate a Peership
- Clear Peer Statistics
- Debug MSDP
- MSDP with Anycast RP
- MSDP Sample Configurations
- Multiple Spanning Tree Protocol
- Protocol Overview
- Configure Multiple Spanning Tree Protocol
- Enable Multiple Spanning Tree Globally
- Add and Remove Interfaces
- Create Multiple Spanning Tree Instances
- Influence MSTP Root Selection
- Interoperate with Non-FTOS Bridges
- Modify Global Parameters
- Modify Interface Parameters
- Configure an EdgePort
- Configure a Root Guard
- Configure a Loop Guard
- Flush MAC Addresses after a Topology Change
- Displaying STP Guard Configuration
- MSTP Sample Configurations
- Debugging and Verifying MSTP Configuration
- Multicast Features
- Object Tracking
- Open Shortest Path First (OSPFv2 and OSPFv3)
- Protocol Overview
- Implementing OSPF with FTOS
- Configuration Requirements
- Configuration Task List for OSPFv2 (OSPF for IPv4)
- Enable OSPFv2
- Enable Multi-Process OSPF
- Assign an OSPFv2 area
- Enable OSPFv2 on interfaces
- Configure stub areas
- Configure OSPF Stub-Router Advertisement
- Enable passive interfaces
- Enable fast-convergence
- Change OSPFv2 parameters on interfaces
- Enable OSPFv2 authentication
- Enable OSPFv2 graceful restart
- Configure virtual links
- Filter routes
- Redistribute routes
- Troubleshooting OSPFv2
- Sample Configurations for OSPFv2
- Configuration Task List for OSPFv3 (OSPF for IPv6)
- Enable IPv6 Unicast Routing
- Assign IPv6 addresses on an interface
- Assign Area ID on interface
- Assign OSPFv3 Process ID and Router ID Globally
- Configure stub areas
- Configure Passive-Interface
- Redistribute routes
- Configure a default route
- Enable OSPFv3 graceful restart
- OSPFv3 Authentication Using IPsec
- Troubleshooting OSPFv3
- PIM Dense-Mode
- PIM Sparse-Mode
- Implementation Information
- Protocol Overview
- Important Points to Remember
- Configure PIM-SM
- Enable PIM-SM
- Configurable S,G Expiry Timers
- Configure a Static Rendezvous Point
- Elect an RP using the BSR Mechanism
- Configure a Designated Router
- Create Multicast Boundaries and Domains
- Set a Threshold for Switching to the SPT
- PIM-SM Graceful Restart
- First Packet Forwarding for Lossless Multicast
- Monitoring PIM
- PIM-SM and IGMP Snooping: Usage Notes
- PIM-SM Snooping
- PIM Source-Specific Mode
- Power over Ethernet
- Policy-based Routing
- Port Monitoring
- Private VLANs
- Per-VLAN Spanning Tree Plus
- Protocol Overview
- Implementation Information
- Configure Per-VLAN Spanning Tree Plus
- Enable PVST+
- Modify Global PVST+ Parameters
- Modify Interface PVST+ Parameters
- Configure an EdgePort
- Configure a Root Guard
- Configure a Loop Guard
- PVST+ in Multi-vendor Networks
- PVST+ Extended System ID
- Displaying STP Guard Configuration
- PVST+ Sample Configurations
- Quality of Service
- Implementation Information
- Port-based QoS Configurations
- Policy-based QoS Configurations
- QoS Rate Adjustment
- Strict-priority Queueing
- Weighted Random Early Detection
- Allocating Bandwidth to Multicast Queues
- Pre-calculating Available QoS CAM Space
- Viewing QoS CAM Entries
- Routing Information Protocol
- Remote Monitoring
- Rapid Spanning Tree Protocol
- Protocol Overview
- Configuring Rapid Spanning Tree
- Important Points to Remember
- Configure Interfaces for Layer 2 Mode
- Enable Rapid Spanning Tree Protocol Globally
- Add and Remove Interfaces
- Modify Global Parameters
- Modify Interface Parameters
- Configure an EdgePort
- Influence RSTP Root Selection
- SNMP Traps for Root Elections and Topology Changes
- Fast Hellos for Link State Detection
- Configure a Root Guard
- Configure a Loop Guard
- Displaying STP Guard Configuration
- Security
- Service Provider Bridging
- VLAN Stacking
- VLAN Stacking Packet Drop Precedence
- Dynamic Mode CoS for VLAN Stacking
- Layer 2 Protocol Tunneling
- Provider Backbone Bridging
- sFlow
- Simple Network Management Protocol
- Protocol Overview
- Implementation Information
- Configure Simple Network Management Protocol
- Important Points to Remember
- Create a Community
- Read Managed Object Values
- Write Managed Object Values
- Configure Contact and Location Information using SNMP
- Subscribe to Managed Object Value Updates using SNMP
- Copy Configuration Files Using SNMP
- Manage VLANs using SNMP
- Enable and Disable a Port using SNMP
- Fetch Dynamic MAC Entries using SNMP
- Deriving Interface Indices
- Monitor Port-channels
- Troubleshooting SNMP Operation
- SONET/SDH
- Stacking S-Series Switches
- Broadcast Storm Control
- Spanning Tree Protocol
- Protocol Overview
- Configuring Spanning Tree
- Related Configuration Tasks
- Important Points to Remember
- Configuring Interfaces for Layer 2 Mode
- Enabling Spanning Tree Protocol Globally
- Adding an Interface to the Spanning Tree Group
- Removing an Interface from the Spanning Tree Group
- Modifying Global Parameters
- Modifying Interface STP Parameters
- Enabling PortFast
- Preventing Network Disruptions with BPDU Guard
- STP Root Selection
- STP Root Guard
- SNMP Traps for Root Elections and Topology Changes
- Configuring Spanning Trees as Hitless
- STP Loop Guard
- Displaying STP Guard Configuration
- System Time and Date
- Uplink Failure Detection (UFD)
- Upgrade Procedures
- VLAN
- Virtual Routing and Forwarding (VRF)
- Virtual Router Redundancy Protocol (VRRP)
- FTOS XML Feature
- C-Series Debugging and Diagnostics
- E-Series TeraScale Debugging and Diagnostics
- S-Series Debugging and Diagnostics
- Standards Compliance
140 | IP Access Control Lists (ACL), Prefix Lists, and Route-maps
www.dell.com | support.dell.com
In the following, TCP packets that are first fragments or non-fragmented from host 10.1.1.1 with TCP
destination port equal to 24 are permitted. Additionally, all TCP non-first fragments from host 10.1.1.1 are
permitted. All other IP packets that are non-first fragments are denied.
To log all the packets denied and to override the implicit deny rule and the implicit permit rule for TCP/
UDP fragments, use a configuration similar to the following.
Configure a standard IP ACL
To configure an ACL, use commands in the IP ACCESS LIST mode and the INTERFACE mode. The
following list includes the configuration tasks for IP ACLs:
For a complete listing of all commands related to IP ACLs, refer to the FTOS Command Line Interface
Reference document.
Refer to Configure an extended IP ACL to set up extended ACLs.
Note the following when configuring ACLs with the fragments keyword.
When an ACL filters packets it looks at the Fragment Offset (FO) to determine whether or not it is a fragment.
FO = 0 means it is either the first fragment or the packet is a non-fragment.
FO > 0 means it is dealing with the fragments of the original packet.
Permit ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information matches the L3 information in the ACL line, the packet's fragment offset (FO) is
checked.
•If a packet's FO > 0, the packet is permitted.
•If a packet's FO = 0 , the next ACL entry is processed.
Deny ACL line with L3 information only, and the fragments keyword is present:
If a packet's L3 information does match the L3 information in the ACL line, the packet's fragment offset (FO) is
checked.
•If a packet's FO > 0, the packet is denied.
•If a packet's FO = 0, the next ACL line is processed.
FTOS(conf)#ip access-list extended ABC
FTOS(conf-ext-nacl)#permit tcp host 10.1.1.1 any eq 24
FTOS(conf-ext-nacl)#permit tcp host 10.1.1.1 any fragment
FTOS(conf-ext-nacl)#deny ip any any fragment
FTOS(conf-ext-nacl)
FTOS(conf)#ip access-list extended ABC
FTOS(conf-ext-nacl)#permit tcp any any fragment
FTOS(conf-ext-nacl)#permit udp any any fragment
FTOS(conf-ext-nacl)#deny ip any any log
FTOS(conf-ext-nacl)