Manualshelf

Mellanox MLNX-OS User Manual for SX1018HP Ethernet Managed Blade Switch

ManualsBrandsHP ManualsComputer AccessoriesMellanox SX1018HP Ethernet Switch for c-Class BladeSystem
511512513514515516517518519520
Rev 2.10
Mellanox Technologies
513
Mellanox Technologies Confidential
5.10 Access Control List
An Access Control List (ACL) is a list of permissions attached to an object, to filter or match
switches packets. When the pattern is matched at the hardware lookup engine, a specified action
(e.g. permit/deny) is applied. The rule fields represent flow characteristics such as source and
destination addresses, protocol and VLAN ID.
ACL support currently allows actions of perm
it or deny rules, and supports only ingress direc-
tion. ACL search pattern can be taken from either
L2 or L3 fields, e.g L2/L3 source and destina-
tion addresses, protocol, VLAN ID and priority or TCP port.
5.10.1 Configuring Access Control List
Access Control List (ACL) is configured by the user and is applied to a port once the ACL search
engine matches search criteria with a received packet.
T
o configure ACL:
Step 1. Log in as admin.
Step 2. Enter config mode. Run:
Step 3. Create a MAC / IPv4 ACL (access-list) entity.
Step 4. Add a MAC / IP rules to the appropriate access-list.
Step 5. Bind the created access-list to an interface (slot/port or port-channel).
5.10.2 ACL Actions
An ACL action is a set of actions can be activated in case the packet hits the ACL rule.
To modify the VLAN tag of the egress traffic as part of the ACL “permit” rule:
Step 1. Create access-list action profile:
a.Create an action access-list profile using the command
access-list action <action-profile-
name>
b.Add rule to map a VLAN using the command
vlan-map <vlan-id>
within the action profile configu-
ration mode
Step 2.
Create an access-list and bind the action rule:
a.Create an access-list profile using the command
ipv4/mac access-list
b.Add access list rule using the command
deny/permit
(action <action profile name>)
switch > enable
switch # configure terminal
switch (config) mac access-list mac-acl
switch (config mac access-list mac-acl) #
switch (config mac access-list mac-acl)seq-number 10 deny 0a:0a:0a:0a:0a:0a mask
ff:ff:ff:ff:ff:ff any vlan 6 cos 2 protocol 80
switch (config mac access-list mac-acl) #
switch (config)
switch (config) # interface ethernet 1/1
switch (config interface ethernet 1/1) # mac port access-group mac-acl