Web Management Guide-R04
Table Of Contents
- How to Use This Guide
- Contents
- Figures
- Tables
- Getting Started
- Web Configuration
- Using the Web Interface
- Basic Management Tasks
- Displaying System Information
- Displaying Hardware/Software Versions
- Configuring Support for Jumbo Frames
- Displaying Bridge Extension Capabilities
- Managing System Files
- Setting the System Clock
- Configuring the Console Port
- Configuring Telnet Settings
- Displaying CPU Utilization
- Configuring CPU Guard
- Displaying Memory Utilization
- Resetting the System
- Interface Configuration
- VLAN Configuration
- Address Table Settings
- Spanning Tree Algorithm
- Congestion Control
- Class of Service
- Layer 2 Queue Settings
- Layer 3/4 Priority Settings
- Setting Priority Processing to IP Precedence/DSCP or CoS
- Mapping Ingress DSCP Values to Internal DSCP Values
- Mapping CoS Priorities to Internal DSCP Values
- Mapping Internal DSCP Values to Egress CoS Values
- Mapping IP Precedence Values to Internal DSCP Values
- Mapping IP Port Priority to Internal DSCP Values
- Quality of Service
- VoIP Traffic Configuration
- Security Measures
- AAA Authentication, Authorization and Accounting
- Configuring User Accounts
- Web Authentication
- Network Access (MAC Address Authentication)
- Configuring HTTPS
- Configuring the Secure Shell
- Access Control Lists
- Filtering IP Addresses for Management Access
- Configuring Port Security
- Configuring 802.1X Port Authentication
- DoS Protection
- DHCPv4 Snooping
- DHCPv6 Snooping
- IPv4 Source Guard
- IPv6 Source Guard
- ARP Inspection
- Application Filter
- Basic Administration Protocols
- Configuring Event Logging
- Link Layer Discovery Protocol
- Simple Network Management Protocol
- Configuring Global Settings for SNMP
- Setting Community Access Strings
- Setting the Local Engine ID
- Specifying a Remote Engine ID
- Setting SNMPv3 Views
- Configuring SNMPv3 Groups
- Configuring Local SNMPv3 Users
- Configuring Remote SNMPv3 Users
- Specifying Trap Managers
- Creating SNMP Notification Logs
- Showing SNMP Statistics
- Remote Monitoring
- Switch Clustering
- Setting a Time Range
- Ethernet Ring Protection Switching
- OAM Configuration
- Connectivity Fault Management
- Configuring Global Settings for CFM
- Configuring Interfaces for CFM
- Configuring CFM Maintenance Domains
- Configuring CFM Maintenance Associations
- Configuring Maintenance End Points
- Configuring Remote Maintenance End Points
- Transmitting Link Trace Messages
- Transmitting Loop Back Messages
- Transmitting Delay-Measure Requests
- Displaying Local MEPs
- Displaying Details for Local MEPs
- Displaying Local MIPs
- Displaying Remote MEPs
- Displaying Details for Remote MEPs
- Displaying the Link Trace Cache
- Displaying Fault Notification Settings
- Displaying Continuity Check Errors
- OAM Configuration
- UDLD Configuration
- LBD Configuration
- Smart Pair Configuration
- Multicast Filtering
- Overview
- Layer 2 IGMP (Snooping and Query for IPv4)
- Configuring IGMP Snooping and Query Parameters
- Specifying Static Interfaces for a Multicast Router
- Assigning Interfaces to Multicast Services
- Setting IGMP Snooping Status per Interface
- Filtering IGMP Query Packets and Multicast Data
- Displaying Multicast Groups Discovered by IGMP Snooping
- Displaying IGMP Snooping Statistics
- Filtering and Throttling IGMP Groups
- MLD Snooping (Snooping and Query for IPv6)
- Multicast VLAN Registration for IPv4
- Multicast VLAN Registration for IPv6
- Basic IP Functions
- IP Configuration
- General IP Routing
- IP Services
- Appendices
- Glossary
Chapter 12
| Security Measures
Access Control Lists
– 335 –
Access Control Lists
Access Control Lists (ACL) provide packet filtering for IPv4/IPv6 frames (based on
address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames
(based on source or destination address), or any frames (based on MAC address or
Ethernet type). To filter incoming packets, first create an access list, add the
required rules, and then bind the list to a specific port.
Configuring Access Control Lists –
An ACL is a sequential list of permit or deny conditions that apply to IP addresses,
MAC addresses, or other more specific criteria. This switch tests ingress or egress
packets against the conditions in an ACL one by one. A packet will be accepted as
soon as it matches a permit rule, or dropped as soon as it matches a deny rule. If no
rules match, the packet is accepted.
Command Usage
The following restrictions apply to ACLs:
◆ The maximum number of ACLs is 256.
◆ The number of rules that can be configured for each ACL is as follows:
■
MAC ACLs - 256 rules maximum per ACL
■
IPv4 ACLs - 256 rules maximum per ACL
■
IPv6 ACLs - 128 rules maximum per ACL
◆ An ACL can have up to the specified maximum number of rules. However, due
to resource restrictions, the average number of rules bound to the ports should
not exceed 20.
◆ The maximum number of rules that can be bound to the ports is 64 for each of
the following list types: MAC ACLs, IP ACLs (including Standard and Extended
ACLs), IPv6 Standard ACLs, and IPv6 Extended ACLs.
The maximum number of rules (Access Control Entries, or ACEs) stated above is
the worst case scenario. In practice, the switch compresses the ACEs in TCAM (a
hardware table used to store ACEs), but the actual maximum number of ACEs
possible depends on too many factors to be precisely determined. It depends
on the amount of hardware resources reserved at runtime for this purpose.
Auto ACE Compression is a software feature used to compress all the ACEs of an
ACL to utilize hardware resources more efficiency. Without compression, one
ACE would occupy a fixed number of entries in TCAM. So if one ACL includes 25
ACEs, the ACL would need (25 * n) entries in TCAM, where “n” is the fixed
number of TCAM entries needed for one ACE. When compression is employed,
before writing the ACE into TCAM, the software compresses the ACEs to reduce
the number of required TCAM entries. For example, one ACL may include 128
ACEs which classify a continuous IP address range like 192.168.1.0~255. If