Scribd Logo
Unggah

Selamat datang di Scribd!

  • Dell Ftos 06 Acls

    Diunggah oleh

    Bambang Adi
    109 tayangan6 halaman
    06

    Hak Cipta

    © © All Rights Reserved

    Format Tersedia

    PDF, TXT atau baca online dari Scribd

    Apakah menurut Anda dokumen ini bermanfaat?

    Apakah konten ini tidak pantas?

    Laporkan Dokumen Ini
    06

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    109 tayangan6 halaman

    Dell Ftos 06 Acls

    Diunggah oleh

    Bambang Adi
    06

    Hak Cipta:

    © All Rights Reserved
    Unduh sebagai PDF, TXT atau baca online dari Scribd
    Tandai sebagai konten tidak pantas
    dari 6

    Dell Force10

    FTOS Access Control Lists


    Module 6

    Objectives

    6-2

    Understand access control lists


    (ACLs), how to configure them,
    and how to troubleshoot them
    MAC ACLs
    IP ACLs
    VTY ACLs
    SNMP ACLs
    Loopback ACLs

    Access Control Lists (ACLs)


    FTOS Supports two types of Access Control Lists
    Layer 2:

    MAC ACLs

    Layer 3:
    IP ACLs
    Specialized Layer 3 ACLs
    VTY ACLs
    SNMP ACLs
    Loopback ACLs

    6-3

    MAC ACLs
    Permit or deny traffic based on MAC address
    Standard Based on source MAC address
    Extended Based on:
    Source MAC address
    Destination MAC address
    Ethernet frame type
    Well-known MAC addresses are always permitted
    Implicit permit at the end
    The maximum size of the MAC ACL table is limited by the memory size on
    each system

    6-4

    MAC ACLs
    To configure standard MAC ACLs:
    Force10(conf)# mac access-list standard name
    Force10(config-std-macl)# seq number {deny | permit} {any
    | mac-address mask} [log] [count {bytes}]
    To configure extended MAC ACLs:
    Force10(conf)# mac access-list extended name
    Force10(config-ext-macl)# seq number {deny | permit} {any
    | host mac-address | mac-address mac-address-mask} {any
    | host mac-address | mac-address mac-address-mask}
    [ethertype operator] [log] [monitor] [count [byte]]
    To apply MAC ACLs:
    Force10(conf-if)# mac access-group name {in [vlan range]
    | out}
    To show a MAC ACL:
    Force10# show mac accounting access-list name

    6-5

    IP ACLs
    Permit or deny traffic based on IP address
    Standard Based on source IP address
    Extended Based on:
    Source IP address
    Destination IP address
    IP protocol
    Implicit deny at the end
    Implicit permit option can also be configured
    The number of ACLs is dependent on the system memory size

    6-6

    To Configure IP ACLs
    Standard ACL
    Force10(conf)# ip access-list standard name
    Force10(config-std-nacl)# seq number {deny | permit} {any
    | host ip-address | ip-address mask} [log] [count [byte]
    Extended ACL
    Force10(conf)# ip access-list extended name
    Force10(config-ext-nacl)# seq number {deny | permit} {ip
    | ip-protocol-number | tcp | udp | etc} {any | host ipaddress | ip-address mask} [{eq | gt | etc} port(s)]
    {any | host ip-address | ip-address mask} [{eq | gt |
    etc} port(s)] [precedence number] [tos number] [log]
    [count [byte]

    6-7

    IP ACLs
    To apply IP ACLs to a physical interface:
    Force10(conf-if)# ip access-group name {in | out}
    [implicit-permit] [vlan {range}]
    ACLs can be applied to a VLAN interface, filtering VLAN traffic on any port in
    the VLAN.
    Force10(conf-if-vl)# ip access-group name in [implicitpermit] {in | out}
    To show an IP ACL:
    Force10# show ip accounting access-list name

    6-8

    VTY ACLs
    This is an IP ACL applied to VTY (Telnet) sessions
    A Standard IP ACL is used to limit the source IP addresses that can telnet
    to the switch
    Local authentication will apply to a user command
    Remote authentication will apply directly to VTY lines
    To configure VTY ACLs with local authentication, configure the command:
    Force10(conf)# user name password word access-class aclname
    To configure VTY ACLs with remote authentication, configure the line
    command:
    Force10(conf-line-vty)# access-class acl-name

    6-9

    SNMP & Loopback ACLs


    IP ACL is applied to SNMP-server:
    Limits the source addresses that can access the Force10 through SNMP
    To configure SNMP ACLs:
    Force10(conf)# SNMP-server community word {ro | rw} [aclname]

    IP ACL is applied to Loopback interface:


    Only loopback 0 is supported for Loopback ACL
    Filters traffic that is destined for the CPUs
    Filters ingress & egress traffic
    To configure Loopback ACLs:
    Force10((conf-if-lo-0)# ip access-group name in
    [implicit-permit]

    6-10

    Troubleshooting: Egress ACLs


    Use Ingress and Egress ACLs to verify whether packet drops are
    occurring inside the Dell Force10 device
    Permit ACLs, with specific entries for the test traffic and count
    option, and explicit permit ip any any at the end
    Apply same ACL to ingress port and egress port, in and out,
    respectively
    Use the IP accounting command for the named ACL to confirm
    whether traffic is being dropped or not

    6-11

    Summary

    6-12

    Understand access control lists


    (ACLs), how to configure them,
    and how to troubleshoot them
    MAC ACLs
    IP ACLs
    VTY ACLs
    SNMP ACLs
    Loopback ACLs

    Anda mungkin juga menyukai