Web Management Guide-R03
Table Of Contents
- How to Use This Guide
- Contents
- Figures
- Tables
- Getting Started
- Web Configuration
- Basic Management Tasks
- Displaying System Information
- Displaying Hardware/Software Versions
- Configuring Support for Jumbo Frames
- Displaying Bridge Extension Capabilities
- Managing System Files
- Setting the System Clock
- Configuring the Console Port
- Configuring Telnet Settings
- Displaying CPU Utilization
- Displaying Memory Utilization
- Resetting the System
- Interface Configuration
- VLAN Configuration
- Address Table Settings
- Spanning Tree Algorithm
- Congestion Control
- Class of Service
- Quality of Service
- VoIP Traffic Configuration
- Security Measures
- AAA Authorization and Accounting
- Configuring User Accounts
- Web Authentication
- Network Access (MAC Address Authentication)
- Configuring HTTPS
- Configuring the Secure Shell
- Access Control Lists
- Setting A Time Range
- Showing TCAM Utilization
- Setting the ACL Name and Type
- Configuring a Standard IPv4 ACL
- Configuring an Extended IPv4 ACL
- Configuring a Standard IPv6 ACL
- Configuring an Extended IPv6 ACL
- Configuring a MAC ACL
- Configuring an ARP ACL
- Binding a Port to an Access Control List
- Configuring ACL Mirroring
- Showing ACL Hardware Counters
- ARP Inspection
- Filtering IP Addresses for Management Access
- Configuring Port Security
- Configuring 802.1X Port Authentication
- DoS Protection
- IP Source Guard
- DHCP Snooping
- Basic Administration Protocols
- Configuring Event Logging
- Link Layer Discovery Protocol
- Power over Ethernet
- Simple Network Management Protocol
- Configuring Global Settings for SNMP
- Setting the Local Engine ID
- Specifying a Remote Engine ID
- Setting SNMPv3 Views
- Configuring SNMPv3 Groups
- Setting Community Access Strings
- Configuring Local SNMPv3 Users
- Configuring Remote SNMPv3 Users
- Specifying Trap Managers
- Creating SNMP Notification Logs
- Showing SNMP Statistics
- Remote Monitoring
- Switch Clustering
- IP Configuration
- IP Services
- Multicast Filtering
- Overview
- Layer 2 IGMP (Snooping and Query)
- Configuring IGMP Snooping and Query Parameters
- Specifying Static Interfaces for a Multicast Router
- Assigning Interfaces to Multicast Services
- Setting IGMP Snooping Status per Interface
- Filtering Multicast Data at Interfaces
- Displaying Multicast Groups Discovered by IGMP Snooping
- Displaying IGMP Snooping Statistics
- Filtering and Throttling IGMP Groups
- MLD Snooping (Snooping and Query for IPv6)
- Multicast VLAN Registration
- Basic Management Tasks
- Appendices
- Glossary
- Index
Chapter 12
| Security Measures
Access Control Lists
– 291 –
Auto ACE Compression is a software feature used to compress all the ACEs of an
ACL to utilize hardware resources more efficiency. Without compression, one
ACE would occupy a fixed number of entries in TCAM. So if one ACL includes 25
ACEs, the ACL would need (25 * n) entries in TCAM, where “n” is the fixed
number of TCAM entries needed for one ACE. When compression is employed,
before writing the ACE into TCAM, the software compresses the ACEs to reduce
the number of required TCAM entries. For example, one ACL may include 128
ACEs which classify a continuous IP address range like 192.168.1.0~255. If
compression is disabled, the ACL would occupy (128*n) entries of TCAM, using
up nearly all of the hardware resources. When using compression, the 128 ACEs
are compressed into one ACE classifying the IP address as 192.168.1.0/24,
which requires only “n” entries in TCAM. The above example is an ideal case for
compression. The worst case would be if no any ACE can be compressed, in
which case the used number of TCAM entries would be the same as without
compression. It would also require more time to process the ACEs.
The order in which active ACLs are checked is as follows:
1. User-defined rules in IP and MAC ACLs for ingress or egress ports are checked in
parallel.
2. Rules within an ACL are checked in the configured order, from top to bottom.
3. If the result of checking an IP ACL is to permit a packet, but the result of a MAC
ACL on the same packet is to deny it, the packet will be denied (because the
decision to deny a packet has a higher priority for security reasons). A packet
will also be denied if the IP ACL denies it and the MAC ACL accepts it.
Setting A Time Range Use the Security > ACL (Configure Time Range) page to sets a time range during
which ACL functions are applied.
Command Usage
If both an absolute rule and one or more periodic rules are configured for the same
time range (i.e., named entry), that entry will only take effect if the current time is
within the absolute time range and one of the periodic time ranges.
Parameters
These parameters are displayed:
Add
◆ Time-Range Name – Name of a time range. (Range: 1-16 characters)
Add Rule
◆ Time-Range – Name of a time range.