Manualshelf

Reference Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S4128F-ON/S4128T-ON
401402403404405406407408409410
Access Control Lists
OS10 uses two types of access policies — hardware-based ACLs and software-based route-maps. Use an ACL to lter trac and drop or
forward matching packets. To redistribute routes that match congured criteria, use a route-map.
ACLs
ACLs are a lter containing criterion to match; for example, examine IP, TCP, or UDP packets, and an action to take such as forwarding or
dropping packets at the NPU. ACLs permit or deny trac based on MAC and/or IP addresses. The number of ACL entries is hardware-
dependent.
ACLs have only two actions — forward or drop. Route-maps not only permit or block redistributed routes but also modify information
associated with the route when it is redistributed into another protocol. When a packet matches a lter, the device drops or forwards the
packet based on the lter’s specied action. If the packet does not match any of the lters in the ACL, the packet drops (implicit deny).
ACL rules do not consume hardware resources until you apply the ACL to an interface.
ACLs process in sequence. If a packet does not match the criterion in the rst lter, the second lter applies. If you congured multiple
hardware-based ACLs, lter rules apply on the packet content based on the priority NPU rule.
Route maps
Route-maps are software-based ltering in a routing protocol redistributing routes from one protocol to another and used in decision
criterion in route advertisements. A route-map denes which of the routes from the specied routing protocol redistributed into the target
routing process, see Route-maps.
Route-maps with more than one match criterion, two or more matches within the same route-map sequence have dierent match
commands. Matching a packet against this criterion is an AND operation. If no match is found in a route-map sequence, the process moves
to the next route-map sequence until a match is found, or until there are no more sequences. When a match is found, the packet is
forwarded and no additional route-map sequences process. If you include a continue clause in the route-map sequence, the next route-map
sequence also processes after a match is found.
IP ACLs
An ACL lters packets based on the:
IP protocol number
Source and destination IP address
Source and destination TCP port number
Source and destination UDP port number
For ACL, TCP, and UDP lters, match criteria on specic TCP or UDP ports. For ACL TCP lters, you can also match criteria on established
TCP sessions.
When creating an ACL, the sequence of the lters is important. You can assign sequence numbers to the lters as you enter them or OS10
can assign numbers in the order you create the lters. The sequence numbers display in the show running-configuration and
show ip access-lists [in | out] command output.
7
Access Control Lists 405