Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4112F-ON/S4112T-ON

1451

To permit these packets, you must configure an explicit permit statement for the specific hosts or subnetworks with the

deny rule having a lower priority to drop the rest of the packets. The deny ip any any and deny ipv6 any any

rules are implicit. You do not have to configure them explicitly.

MAC ACLs

MAC ACLs filter traffic on the header of a packet. This traffic filtering is based on:

Source MAC

packet address

MAC address range—address mask in 3x4 dotted hexadecimal notation, and any to denote that the rule

matches all source addresses.

Destination MAC

packet address

MAC address range—address-mask in 3x4 dotted hexadecimal notation, and any to denote that the rule

matches all destination addresses.

Packet protocol Set by its EtherType field contents and assigned protocol number for all protocols.

VLAN ID Set in the packet header

Class of service Present in the packet header

IPv4/IPv6 and MAC ACLs apply separately for inbound and outbound packets. You can assign an interface to multiple ACLs,

with a limit of one ACL per packet direction per ACL type.

Control-plane ACLs

OS10 offers control-plane ACLs to selectively restrict packets that are destined to the CPU port, thereby providing increased

security. Control-plane ACLs offer:

● An option to protect the CPU from denial of service (DoS) attacks.

● Fine-grained control to allow or block traffic going to the CPU.

Control-plane ACLs apply on the front-panel and management ports. Control-plane ACLs are one of the following types:

● IP ACL

● IPv6 ACL

● MAC ACL

NOTE: MAC ACL is applied only on packets that enter through the front-panel ports.

There is no implicit deny rule. If none of the configured conditions match, the default behavior is to permit. If you need to deny

traffic that does not match any of the configured conditions, explicitly configure a deny statement.

The control-plane ACL is mutually exclusive with VTY ACL, the management ACL. VTY ACL provides secure access for session

connection protocols, such as SSH or TELNET; however, control-plane ACLs permit or deny any TCP or UDP, including SSH and

TELNET sessions, from specific hosts and networks, and also filters both IPv4 and IPv6 traffic.

Configure control-plane ACL

To configure control-plane ACLs, use the existing ACL template and create the appropriate rules to permit or deny traffic as

needed, similar to creating an access list for VTY ACLs. However, when you apply this control-plane ACL, you must apply it in

CONTROL-PLANE mode instead of VTY mode. For example:

OS10# configure terminal

OS10(config)# control-plane

OS10(config-control-plane)# ip access-group acl_name in

where acl_name is the name of the control-plane ACL, a maximum of 140 characters.

NOTE: Apply control-plane ACLs on ingress traffic only.

Configuration notes

The control-plane MAC ACL is not supported for management port on all platforms.

1460

Access Control Lists