API Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4128F-ON/S4128T-ON

1111

Destination MAC

packet address

MAC address range—address-mask in 3x4 dotted hexadecimal notation, and any to denote that the rule

matches all destination addresses.

Packet protocol Set by its EtherType field contents and assigned protocol number for all protocols.

VLAN ID Set in the packet header

Class of service Present in the packet header

IPv4/IPv6 and MAC ACLs apply separately for inbound and outbound packets. You can assign an interface to multiple ACLs,

with a limit of one ACL per packet direction per ACL type.

Control-plane ACLs

OS10 offers control-plane ACLs to selectively restrict packets that are destined to the CPU port, thereby providing increased

security. Control-plane ACLs offer:

● An option to protect the CPU from denial of service (DoS) attacks.

● Fine-grained control to allow or block traffic going to the CPU.

Control-plane ACLs apply on the front-panel and management ports. Control-plane ACLs are one of the following types:

● IP ACL

● IPv6 ACL

● MAC ACL

NOTE: MAC ACL is applied only on packets that enter through the front-panel ports.

There is no implicit deny rule. If none of the configured conditions match, the default behavior is to permit. If you need to deny

traffic that does not match any of the configured conditions, explicitly configure a deny statement.

The control-plane ACL is mutually exclusive with VTY ACL, the management ACL. VTY ACL provides secure access for session

connection protocols, such as SSH or TELNET; however, control-plane ACLs permit or deny any TCP or UDP, including SSH and

TELNET sessions, from specific hosts and networks, and also filters both IPv4 and IPv6 traffic.

Configure control-plane ACL

To configure control-plane ACLs, use the existing ACL template and create the appropriate rules to permit or deny traffic as

needed, similar to creating an access list for VTY ACLs. However, when you apply this control-plane ACL, you must apply it in

CONTROL-PLANE mode instead of VTY mode. For example:

OS10# configure terminal

OS10(config)# control-plane

OS10(config-control-plane)# ip access-group acl_name in

where acl_name is the name of the control-plane ACL, a maximum of 140 characters.

NOTE: Apply control-plane ACLs on ingress traffic only.

Control-plane ACL qualifiers

This section lists the supported control-plane ACL rule qualifiers.

NOTE: OS10 supports only the qualifiers listed below. Ensure that you use only these qualifiers in ACL rules.

● IPv4 qualifiers:

○ DST_IP—Destination IP address

○ SRC_IP—Source IP address

○ IP_TYPE—IP type

○ IP_PROTOCOL—Protocols such as TCP, UDP, and so on

○ L4_DST_PORT—Destination port number

● IPv6 qualifiers:

○ DST_IPv6—Destination address

○ SRC_IPv6—Source address

1114

Access Control Lists