Manual de Control Interno de Inventarios de la empresa Constructora Construbolivar de la ciudad de Guayaquil

Table 30 describes the commands used to configure access control lists.

NOTE

On the Summit 200-48 switch, ACL ingress and egress ports must belong to the same port group. Port group 1 consists of ports 1 through 24 and port 49; port group 2 consists of ports 25 through 48 and port 50.

Using Access Control Lists

Table 30: Access Control List Configuration Commands

Command Description

create access-list <name>

access-mask <access-mask name> {dest-mac <dest_mac>}

{source-mac <src_mac>} {vlan <name>}

{ethertype [IP | ARP | <hex_value>]} {tos <ip_precedence>

| code-point <code_point>} {ipprotocol

[tcp|udp|icmp|igmp|<protocol_num>]} {dest-ip <dest_IP>/<mask length>} {dest-L4port <dest_port>}

{source-ip <src_IP>/<mask length>} {source-L4port <src_port> | {icmp-type <icmp_type>} {icmp-code <icmp_code>}} {egressport <port>}

{ports <portlist>}

[permit {qosprofile <qosprofile>} {set code-point <code_point>} {set dot1p <dot1p_value>}

| permit-established | deny]

Creates an access list. The list is applied to all ingress packets. Options include:

• <name>—Specifies the access control list name. The access list name can be between 1 and 31 characters.

• access-mask—Specifies the associated access mask. Any field specified in the access mask must have a corresponding value specified in the access list.

• dest-mac—Specifies the destination MAC address.

• source-mac—Specifies the source MAC address.

• vlan—Specifies the VLANid.

• ethertype—Specify IP, ARP, or the hex value to match.

• tos—Specifies the IP precedence value.

• code-point—Specifies the DiffServ code point value.

• ipprotocol—Specify an IP protocol, or the protocol number

• dest-ip—Specifies an IP destination address and subnet mask. A mask length of 32 indicates a host entry.

• dest-L4port—Specify the destination port.

• source-ip—Specifies an IP source address and subnet mask.

• source-L4port—Specify the source port.

• icmp-type—Specify the ICMP type.

• icmp-code—Specify the ICMP code.

• egressport—Specify the egress port

• ports—Specifies the ingress port(s) on which this rule is applied.

• permit—Specifies the packets that match the access list description are permitted to be forward by this switch. An optional QoS profile can be assigned to the access list, so that the switch can prioritize packets accordingly.

• set—Modify the DiffServ code point and/or the 802.1p value for matching packets.

• permit-established—Specifies a uni-directional session establishment is denied.

• deny—Specifies the packets that match the access list description are filtered (dropped)

Access Policies

create access-mask <access-mask name> {dest-mac} {source-mac} {vlan} {ethertype} {tos | code-point} {ipprotocol}

{dest-ip /<mask length>} {dest-L4port} {source-ip /<mask length>}

{source-L4port | {icmp-type} {icmp-code}} {permit-established}

{egressport} {ports}

{precedence <number>}

Creates an access mask. The mask specifies which packet fields to examine. Options include:

• <access-mask name>—Specifies the access mask name. The access mask name can be between 1 and 31 characters.

• dest-mac—Specifies the destination MAC address field.

• source-mac—Specifies the source MAC address field.

• vlan—Specifies the VLANid field.

• ethertype—Specifies the Ethertype field.

• tos—Specifies the IP precedence field.

• code-point—Specifies the DiffServ code point field.

• ipprotocol—Specifies the IP protocol field.

• dest-ip—Specifies the IP destination field and subnet mask. You must supply the subnet mask.

• dest-L4port—Specifies the destination port field.

• source-ip—Specifies the IP source address field and subnet mask. You must supply the subnet mask.

• source-L4port—Specifies the source port field.

• icmp-type—Specify the ICMP type field.

• icmp-code—Specify the ICMP code field.

• permit-established—Specifies the TCP SYN/ACK bit fields.

• egressport—Specify the egress port

• ports—Specifies the ingress port(s) on which this rule is applied.

• precedence—Specifies the access mask precedence number. The range is 1 to 25,600.

Table 30: Access Control List Configuration Commands (continued)

Using Access Control Lists

create rate-limit <rule_name> access-mask <access-mask name> {dest-mac <dest_mac>}

{source-mac <src_mac>} {vlan <name>}

{ethertype [IP | ARP | <hex_value>]} {tos <ip_precedence>

| code-point <code_point>} {ipprotocol

[tcp|udp|icmp|igmp|<protocol_num>]} {dest-ip <dest_IP>/<mask length>} {dest-L4port <dest_port>}

{source-ip <src_IP>/<mask length>} {source-L4port <src_port> | {icmp-type <icmp_type>} {icmp-code <icmp_code>}} {egressport <port>}

{port <port number>}

permit {qosprofile <qosprofile>} {set code-point <code_point>} {set dot1p <dot1p_value>} limit <rate_in_Mbps> {exceed-action [drop

| set code-point <code_point>}

Creates a rate limit. The rule is applied to all ingress packets. Options include:

• <rule_name>—Specifies the rate limit name, from 1 to 31 characters.

• access-mask—Specifies the associated access mask. Any field specified in the access mask must have a corresponding value specified in the rate limit.

• dest-mac—Specifies the destination MAC address.

• source-mac—Specifies the source MAC address.

• vlan—Specifies the VLANid.

• ethertype—Specify IP, ARP, or the hex value to match.

• tos—Specifies the IP precedence value.

• code-point—Specifies the DiffServ code point value.

• ipprotocol—Specify an IP protocol, or the protocol number

• dest-ip—Specifies the IP destination address and subnet mask. A mask length of 32 indicates a host entry.

• dest-L4port—Specify the destination port.

• source-ip—Specifies the IP source address and subnet mask.

• source-L4port—Specify the source port.

• icmp-type—Specify the ICMP type.

• icmp-code—Specify the ICMP code.

• egressport—Specify the egress port

• port—Specifies the ingress port to which this rule is applied.

• permit—Specifies the packets that match the access list description are permitted to be forward by this switch. An optional QoS profile can be assigned to the access list, so that the switch can prioritize packets accordingly.

• set—Modify the DiffServ code point or the 802.1p value for matching, forwarded, packets.

• limit—Specifies the rate limit

• <rate_in_Mbps>—The rate limit.

For 100 Mbps ports, specify a value from 1 to 100 Mbps in 1 Mbps increments.

For 1000 Mbps ports, specify a value from 8 to 1000 Mbps in increments of 8 Mbps. Table 30: Access Control List Configuration Commands (continued)

Access Policies