Supermicro L2 User manual
L2 / L3 Switches
Access Control Lists (ACL)
Configuration Guide
Revision 1.0
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
2
The information in this USER’S M NU L has been carefully reviewed and is believed to be accurate. The vendor
assumes no responsibility for any inaccuracies that may be contained in this document, makes no commitment to
update or to keep current the information in this manual, or to notify any person or organization of the updates.
Please Note: For the most up-to-date version of this manual, please see our web site at www.supermicro.com.
Super Micro Computer, Inc. (“Supermicro”) reserves the right to make changes to the product described in this
manual at any time and without notice. This product, including software, if any, and documentation may not, in
whole or in part, be copied, photocopied, reproduced, translated or reduced to any medium or machine without
prior written consent.
IN NO EVENT WILL SUPERMICRO BE LI BLE FOR DIRECT, INDIRECT, SPECI L, INCIDENT L, SPECUL TIVE OR
CONSEQUENTI L D M GES RISING FROM THE USE OR IN BILITY TO USE THIS PRODUCT OR DOCUMENT TION,
EVEN IF DVISED OF THE POSSIBILITY OF SUCH D M GES. IN P RTICUL R, SUPERMICRO SH LL NOT H VE
LI BILITY FOR NY H RDW RE, SOFTW RE, OR D T STORED OR USED WITH THE PRODUCT, INCLUDING THE
COSTS OF REP IRING, REPL CING, INTEGR TING, INST LLING OR RECOVERING SUCH H RDW RE, SOFTW RE, OR
D T .
ny disputes arising between manufacturer and customer shall be governed by the laws of Santa Clara County in
the State of California, US . The State of California, County of Santa Clara shall be the exclusive venue for the
resolution of any such disputes. Super Micro's total liability for all claims will not exceed the price paid for the
hardware product.
FCC Statement: This equipment has been tested and found to comply with the limits for a Class digital device
pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful
interference when the equipment is operated in a commercial environment. This equipment generates, uses, and
can radiate radio frequency energy and, if not installed and used in accordance with the manufacturer’s instruction
manual, may cause harmful interference with radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference, in which case you will be required to correct the interference at your
own expense.
California Best Management Practices Regulations for Perchlorate Materials: This Perchlorate warning applies only
to products containing CR (Manganese Dioxide) Lithium coin cells. Perchlorate Material-special handling may
apply. See http://www.dtsc.ca.gov/hazardouswaste/perchlorate/ for further details.
Manual Revison 1.0
Release Date: December 18, 2012
Unless you request and receive written permission from Super Micro Computer, Inc., you may not copy any part of
this document.
Information in this document is subject to change without notice. Other products and companies referred to
herein are trademarks or registered trademarks of their respective companies or mark holders.
Copyright © 2012 by Super Micro Computer, Inc.
ll rights reserved.
Printed in the United States of merica
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
3
Contents
1 CL Configuration Guide ....................................................................................................................... 4
1.1 What is CL ................................................................................................................................... 5
1.2 How CL works in Hardware SIC ................................................................................................ 5
1.3 Types of CL .................................................................................................................................. 5
1.3.1 M C Extended CL................................................................................................................ 6
1.3.2 IP Standard CL ..................................................................................................................... 6
1.3.3 IP Extended CL .................................................................................................................... 6
1.4 M C Extended CL ....................................................................................................................... 7
1.4.1 Creating M C Extended CL ................................................................................................. 7
1.4.2 Modifying M C Extended CL ............................................................................................ 10
1.4.3 Removing M C Extended CL............................................................................................. 10
1.4.4 pplying M C Extended CL to Interfaces ......................................................................... 11
1.4.5 Displaying M C Extended CL ............................................................................................ 12
1.4.6 M C Extended CL Configuration Example 1 ..................................................................... 13
1.5 IP Standard CL ........................................................................................................................... 14
1.5.1 Creating IP Standard CL .................................................................................................... 15
1.5.2 Modifying IP Standard CL .................................................................................................. 16
1.5.3 Removing IP Standard CL .................................................................................................. 17
1.5.4 pplying IP CL to Interfaces .............................................................................................. 17
1.5.5 Displaying IP Standard CL ................................................................................................. 19
1.5.6 IP Standard CL Configuration Example 1 .......................................................................... 20
1.6 IP Extended CL .......................................................................................................................... 21
1.6.1 Creating IP Extended CL for IP Traffic ............................................................................... 22
1.6.2 Creating IP Extended CL for TCP Traffic ............................................................................ 23
1.6.3 Creating IP Extended CL for UDP Traffic ........................................................................... 25
1.6.4 Creating IP Extended CL for ICMP Traffic ......................................................................... 27
1.6.5 Modifying IP Extended CL ................................................................................................. 29
1.6.6 Removing IP Extended CL ................................................................................................. 29
1.6.7 pplying IP Extended CL to Interfaces .............................................................................. 30
1.6.8 Displaying IP Extended CL ................................................................................................. 30
1.6.9 IP Extended CL Configuration Example 1 .......................................................................... 33
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
4
1ACL Configuration Guide
This document describes the ccess Control Lists ( CL) feature supported in Supermicro Layer 2 / Layer
3 switch products.
ccess Control List configurations with examples are explained in this document in detail.
This document covers the CL configurations for the below listed Supermicro switch products.
The majority of this document is applicable to all the above listed Supermicro switch products. However,
the contents in any particular subsection might vary across these switch product models. In those
sections, the differences are clearly identified with reference to particular switch product models. If any
particular switch product model is not referenced, the reader can safely assume that the content is
applicable for all the listed Supermicro switch product models.
In this entire document, the common term “switch” refers to any of the above listed
Supermicro switch product models unless another switch product model is named.
CLs are widely used to provide security and Quality of Service (QoS). This document focuses on CL
configurations only. To learn how to use CLs for QoS, refer to the QoS Configuration Guide.
Top of Rack Switches
• SSE-G24-TG4
• SSE-G48-TG4
• SSE-X24S
• SSE-X3348S
• SSE-X3348T
Blade Switches
• SBM-GEM-X2C
• SBM-GEM-X2C+
• SBM-GEM-X3S+
• SBM-XEM-X10SM
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
5
1.1What is ACL
CL is used to filter or redirect any particular traffic flow on the switch.
CLs can be configured to match packets based on Layer 2 M C, Layer 3 IP or Layer 4 TCP/UDP
parameters.
Every packet entering the switch is checked for the configured CLs. If any packet contents match any of
the configured CL , that packet will be handled according to the matched CL configured action.
CL configuration provides the following actions that can be applied on matched traffic flow.
1.2How ACL works in Hardware ASIC
Supermicro switches implement CL in hardware SIC ( pplication Specific Integrated Circuit) to provide
line rate CL processing for all incoming traffic.
User configured CL rules are programmed in an CL table in SIC. Layer 2 M C extended CL and
Layer 3 IP CL are implemented in two separate hardware tables, which are TC M tables in SIC.
SIC analyzes the first 128 bytes of every received packet and extracts the packet contents for key fields
in the Layer 2, Layer 3 and Layer 4 headers. SIC looks up the CL tables to find a matching CL rule for
the extracted content of the packet. SIC compares the values of the configured fields only and it treats
all other fields as “do not care”. Once a matching CL is found, SIC stops looking in that CL table.
SIC applies the configured action of the matching CL rule to the matched packet. This could result in it
dropping that packet, redirecting it to any particular port or simply allowing the packet to be forwarded
through the switch.
lookup on Layer 2 CL table and Layer 3 CL table happens simultaneously. If any packet matches the
CL rules of both Layer 2 and Layer 3 CL tables, the actions configured on both CL rules will be
applied. In this case, conflicting actions configured on Layer 2 and Layer 3 CL tables for the same traffic
could lead to unpredictable behavior. Hence it is suggested to avoid such CL use cases.
1.3Types of ACLs
Supermicro switches support the following three different types of CLs.
•The switch drops all packets matching this ACL
Deny
•The switch redirects all packets matching this ACL to any
configured redirect port
Redirect
•The switch permits all packets matching this ACL
Permit
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
6
1.3.1 AC Extended ACL
M C Extended CL allows users to control the traffic based on fields in Ethernet M C and VL N
headers.
Users can configure the traffic flow based on source M C address, destination M C address or Ethernet
type field value. Users can also use VL N identifiers to configure the traffic flow.
Users can choose to deny, redirect or permit the configured traffic flow using a M C Extended CL.
1.3.2 IP Standard ACL
n IP Standard CL allows users to control the traffic based on the fields in an IP header.
Users can configure the traffic flow based on source IP address and destination IP address.
Users can choose to deny, redirect or permit the configured traffic flow using an IP Standard CL.
1.3.3 IP Extended ACL
n IP Extended CL allows users to control the traffic based on fields in an IP header, ICMP header, TCP
header and UDP header.
Users can configure the traffic flow based on source IP address, destination IP address, protocol field in
IP header, TOS field in IP header or by using a DSCP priority in an IP header.
Users can also configure the traffic flow based on ICMP message type, ICMP message code, TCP port
number or UDP port number.
Users can choose to deny, redirect or permit the configured traffic flow using an IP Extended CL.
Three
types
of CL
M C Extended CL
IP Standard CL
IP Extended CL
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
7
1.4 AC Extended ACL
Supermicro switches support up to 128 M C Extended CLs.
Users can define a M C Extended CL with a deny, permit or redirect action rule. M C Extended CL
can be defined only with one rule. To implement multiple rule CLs, configure multiple M C Extended
CLs.
There is no implied deny all rule in Supermicro switch CLs. By default
,
all packets not
matching a configured CL rule will be forwarded automatically. For any traffic to be denied,
it has to be configured with an explicit deny rule.
The permit rule is widely used for QoS applications. In some cases permit rules are useful when all traffic
is denied by a rule and a few specific hosts are to be permitted. In this case, permit rules have to be
created before deny rules to make sure switch hardware processes permit rules first.
M C Extended CLs allow users to configure the traffic flow with the following fields.
Source M C ddress
Destination M C ddress
Non-IP Protocol
Ethernet type field in an Ethernet Header
VL N Identifier
M C Extended CL rules can be created and identified either a with an CL number such as 1,2,3 or with
a name string. n CL identifier number can be any number from 1 to 65535. n CL identifier name
can be any string length not exceeding 32 characters.
1.4.1 Creating AC Extended ACLs
Follow the steps below to create a M C Extended CL.
Step Command escription
Step 1
configure terminal
Enter the configuration mode
Step 2
mac access
-
list extended
{ <
access-list-number
>
| <access-list-name> }
Create
s
a M C Extended CL using
the
mac-access-list extended command.
access-list-number – can be any
number from 1 to 65535
access-list-name – any name string up
to 32 characters.
Step 3
deny { any | host <src-mac-address>}
{
any | host <dest-mac-address> } [aarp
|
amber | dec-spanning | decnet-iv
|
Configure
s
a deny CL rule
,
a
permit
CL rule or a redirect CL rule.
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
8
diagnostic | dsm | etype-6000 | etype-8042
| lat | lavc-sca | mop-console | mop-dump
| msdos | mumps | netbios | vines-echo
| vines-ip | xns-id | <protocol (0-65535)>
]
[ encaptype <value (1-65535)>]
[Vlan <vlan-id (1-4069)>] [priority <value
(1-255)>]
or
permit { any | host <src-mac-address
>}{
any | host <dest-mac-address> } [aarp
|
amber | dec-spanning | decnet-iv
|
diagnostic | dsm | etype-6000 |etype-8042
|
lat | lavc-sca | mop-console | mop-dump
|
msdos | mumps | netbios | vines-echo
|
vines-ip | xns-id | <protocol (0-65535
)>] [
encaptype <value (1-65535)>][ Vlan <vlan-id
(1-4069)>] [priority <value (1-255)>]
or
redirect <interface-type> <interface-id
> {
any | host <src-mac-address>}{ any
|
host <dest-mac-address> } [aarp | amber
| dec-spanning | decnet-iv | diagnostic
|
dsm | etype-6000 | etype-8042 | lat | lavc-
sca | mop-console | mop-dump | msdos
|
mumps | netbios | vines-echo | vines-ip
|
xns-id | <protocol (0-65535)>] [ encaptype
<value (1-65535)>][ Vlan <vlan-id (1-
4069)>] [priority <value (1-255)>]
The source and destination M C
addresses are provided with the
keyword host. The keyword any is used
to refer any M C addresses. If a source
or destination M C address is
configured as any, the switch will not
check that source or destination M C
address to match the packets for this
CL.
User can configure any of the following
non-IP protocols to match for this rule.
aarp | amber | dec-spanning
|
decnet-iv | diagnostic | dsm
|
etype-6000 | etype-8042 | lat
|
lavc-sca | mop-console | mop-
dump | msdos | mumps
|
netbios | vines-echo | vines-ip
|
xns-id
lternatively, users can configure the
protocol number to be matched for this
CL rule.
This Non-IP protocol or protocol type is
an optional parameter. If not provided,
switch will not check the Non-IP
protocol field while matching packets
for this CL.
The encaptype keyword can be used to
configure the Ethernet header Encap
Type field to be matched to apply this
CL rule.
This encaptype is an optional
parameter. If not provided, switch will
not check this field while matching
packets for this CL.
If this CL rule is to be applied only to a
particular VL N, user can configure
VL N number using Vlan keyword.
This Vlan is an optional parameter. If
not provided, switch will not check
VL N while matching packets for this
CL.
The priority keyword lets user assign a
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
9
priority for this CL rule.
This priority is an optional parameter. It
can be any value from 1 to 255. The
default value is 1.
Redirect CL rule needs additional
<interface-type> <interface-id
>
parameters to define the port to which
the packets matching this CL rule need
to be redirected.
Step 4
show
access
-
lists
D
isplay
s
the configured CL rule
s
Step 5
write startup
-
config
Optional step
–
Save
s
this
CL
configuration to be part of startup
configuration.
Every CL
is
applied
to
all ports by default.
ny CL
that
needs to be applied only
to
particular ports needs to be configured as described in section pplying M C Extended CL
to Interfaces.
The below examples show various ways of creating a M C Extended CL.
Create a deny MAC Extended ACL with ACL number 100 to deny all traffic from MAC 00:25:90:01:02:03
SMIS# configure terminal
SMIS(config)# mac access-list extended 100
SMIS(config-ext-macl)# deny host 00:25:90:01:02:03 any
Create a permit MAC Extended ACL with ACL name acl_cw3 to permit all traffic from MAC
00:25:30:01:02:03
SMIS# configure terminal
SMIS(config)# mac access-list extended acl_cw3
SMIS(config-ext-macl)# permit host 00:25:30:01:02:03 any
Create a redirect MAC Extended ACL to redirect all packets from MAC 00:25:90:01:02:03 going to MAC
00:25:90:01:02:04 to interface gi 0/10.
SMIS# configure terminal
SMIS(config)# mac access-list extended 1
SMIS(config-ext-macl)# redirect gi 0/10 host 00:25:90:01:02:03 host 00:25:90:01:02:04
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
10
1.4.2 odifying AC Extended ACLs
To modify a configured M C Extended CL, follow the same steps used to create a M C Extended CL.
When users modify an CL with a deny, permit or redirect rule, the previously configured rule and its
parameters for that CL will be completely overwritten with the newly provided rules and parameters.
The below example shows a M C Extended CL rule 50 that is created and later modified with different
parameters.
SMIS# configure terminal
SMIS(config)# mac access-list extended 50
SMIS(config-ext-macl)# deny host 00:25:90:01:02:03 any
SMIS(config-ext-macl)# end
# Modify this CL’s rule 50 to deny traffic destined to a particular host M C instead of any
SMIS# configure terminal
SMIS(config)# mac access-list extended 50
SMIS(config-ext-macl)# deny host 00:25:90:01:02:03 host 00:25:90:01:02:04
1.4.3 Removing AC Extended ACLs
Follow the steps below to remove M C Extended CLs.
Step Command escription
Step 1
configure terminal
Enter
s
the configuration mode
Step 2
no
mac access
-
list
extended
{ <
access-list-
number> | <access-list-name> }
Delete
s
a M C Extended CL using
no
mac-access-list extended command.
access-list-number – the CL number
that needs to be deleted
access-list-name – the name of the
CL that needs to be deleted
Step 3
show access
-
lists
D
isplay
s
the configured CL rule
s
to
make sure the deleted CL is removed
properly
Step 4
write startup
-
config
Optional step
–
Save
s
this CL
configuration to be part of startup
configuration.
The example below shows how to remove a M C Extended CL .
SMIS# configure terminal
SMIS(config)# no mac access-list extended 50
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
11
1.4.4 Applying AC Extended ACLs to Interfaces
M C Extended CLs are applied to all physical interfaces by default. If users prefer to apply any M C
Extended CL only to certain ports, the steps below need to be followed.
Adding MAC Extended ACL to port
Step Command escription
Step 1
configure terminal
Enter
s
the configuration mode
Step 2
Interface
<interface-type> <interface-
id>
or
interface range <interface-type> <interface-id>
….
The port or port lists on which this M C
Extended CL needs to be applied.
Step 3
mac access
-
group
{ <short (1-65535)> |
<string(32)> } in
dd
s
the M C Extended CL to this
port.
access-list-number – the CL number
that needs to be added
access-list-name – the name of the
CL that needs to be added
Step 4
show access
-
lists
D
isplay
s
the config
ured CL rules to
make sure this port is added to the
required CL.
Step 5
write startup
-
config
Optional step
–
Save
s
this CL
configuration to be part of startup
configuration.
The example below shows applying a M C Extended CL rule 100 to ports gi 0/1 and gi 0/10.
SMIS# configure terminal
SMIS(config)# int gi 0/1
SMIS(config-if)# mac access-group 100 in
SMIS(config-if)# exit
SMIS(config)# int gi 0/10
SMIS(config-if)# mac access-group 100 in
Removing MAC Extended ACL from port
Step Command escription
Step 1
configure terminal
Enter
s
the configuration mode
Step 2
Interface
<interface-type> <interface-
id>
or
interface range <interface-type> <interface-id>
….
The port or port lists from which this
M C Extended CL needs to be
removed.
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
12
Step 3
no
mac access
-
group
{ <short (1-65535)> |
<string(32)> } in
Remove
s
the M C Extended CL from
this port.
access-list-number – the CL number
that needs to be removed from this
interface.
access-list-name – the name of the
CL which needs to be removed from
this interface.
Step 4
show access
-
lists
D
isplay
s
the configured CL rules to
make sure this port is removed from
required CL.
Step 5
write startup
-
config
Optional step
–
Save
s
this CL
configuration to be part of startup
configuration.
1.
When a M C Extended CL is removed from all the ports
it was applied
to
, that CL
will become a switch-wide CL (applied to all physical ports).
2. M C Extended CLs can be added only to physical ports like gi, ex or qx ports. They
cannot be added to Layer 3 vlan interfaces or port channel interfaces.
3. M C Extended CL can be applied to many ports by following the above steps. In
the same way, many M C Extended CLs can be applied to a single port.
The example below shows the commands for removing a M C Extended CL from a port.
SMIS# configure terminal
SMIS(config)# int gi 0/1
SMIS(config-if)# no mac access-group 100 in
1.4.5 Displaying AC Extended ACLs
Step Command escription
Step 1
show access
-
lists
or
show access-lists mac { <access-list-number (1-
32768)> | <access-list-name> ]
Enter
s
the configuration mode
access-list-number – the CL number
that needs to be displayed
access-list-name – the name of the
CL which needs to be displayed
The show command displays the following information for every M C Extended CL:
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
13
Filter Priority
CL’s c
onfigured or default priority
Protocol Type
Configured
n
on
-
IP protocol. If not configured, it shall be displayed as
zero.
EncapType
Configured
Encaptype. If not configured, it shall be displayed as zero.
Vlan Id
Configured VL N identifier.
Destination M C
ddress
Configured destination host M C address. Displays 00:00:00:00:00:00
for any destination M C address
Source M C ddress
Configured
source host M C address. Displays 00:00:00:00:00:00 for any
source M C address
In Port List
The list of ports this CL is applied
to
. If it is applied
to
all ports, this will
be NIL.
Filter ction
Configured CL action rule
–
deny
,
permit
or
redire
ct
Status
Current status of the CL. The status
should normally
be
active
. In case
of configuration errors, the CL status may be inactive.
The below example displays a M C Extended CL
SMIS# show access-lists mac 100
Extended M C ccess List 100
-----------------------------
Filter Priority : 1
Protocol Type : 0
EncapType : 0
Vlan Id :
Destination M C ddress : 00:25:90:01:02:03
Source M C ddress : 00:00:00:00:00:00
In Port List : Gi0/2
Filter ction : Deny
Status : ctive
1.4.6 AC Extended ACL Configuration Example 1
This example describes the commands required to implement the following CL requirements on the
network setup shown in Figure CL-1.
CL 1 – Deny all traffic going from Server to the gateway.
CL 2 – Redirect all vlan 20 traffic coming from the gateway to server B.
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
14
Figure ACL-1: MAC Extended ACL Example 1
ACL 1 Configuration
SMIS# configure terminal
SMIS(config)# mac access-list extended 1
SMIS(config-ext-macl)# deny host 00:25:90:01:01:0a host 00:25:90:01:01:0c
ACL 2 Configuration
SMIS# configure terminal
SMIS(config)# mac access-list extended 2
SMIS(config-ext-macl)# redirect gi 0/5 host 00:25:90:01:01:0c any vlan 20
1.5IP Standard ACLs
Supermicro switches support 128 IP CLs, which includes both IP Standard and IP Extended CLs.
Users can define IP Standard CLs with deny, permit or redirect action rules. n IP Standard CL can be
defined only with one rule. To implement multiple rule CLs, configure multiple IP Standard CLs.
There is no implied deny all rule in Supermicro switch CLs. By default
,
all packets not
matching a configured CL rule will be forwarded automatically. For any traffic to be denied,
it has to be configured with explicit deny rule.
The permit rule is widely used for QoS applications. In some cases permit rules are useful when all traffic
is denied by a rule and a few specific hosts are to be permitted. In this case, permit rules have to be
created before deny rules to make sure switch hardware processes permit rules first.
Local
Network
Server
00:25:90:01:01:0a
Server B
00:25:90:01:01:0b
Gateway
00:25:90:01:01:0c
Gi 0/10
Switch
Gi 0/1
Gi 0/5
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
15
IP Standard CLs allow users to configure the traffic flow with the following fields.
Source IP ddress
Destination IP ddress
IP Standard CL rules can be created and identified either a with an CL number as such as 1,2 or 3 or
with a name string. n CL identifier number can be any number from 1 to 32768. n CL identifier
name can be any string length not exceeding 32 characters.
IP Standard CLs and IP Extended CLs share the
same
CL numbers and names. Hence CL
numbers and names across all IP Standard and IP Extended CLs have to be unique. In other
words, the same CL number or name cannot be used for both IP Standard CLs and IP
Extended CLs.
1.5.1 Creating IP Standard ACLs
Follow the steps below to create an IP Standard CL.
Step Command escription
Step 1
configure terminal
Enter
s
the configuration mode
Step 2
ip
access
-
list standar
d
{ <
access-list-number(1-
32768)> | <access-list-name> }
Create
s
a
n IP Standard
CL using
ip
-
access-list standard command.
access-list-number – can be any
number from 1 to 32768
access-list-name – can be any name
string up to 32 characters.
Step 3
deny { any | host <ucast_addr>
|
<ucast_addr> <ip_mask> } [ {any | host
<ip_addr> | <ip_addr> <ip_mask> } ]
or
permit { any | host <src-ip-address> | <src-
ip-address> <mask> } [ { any | host
<dest-ip-address> | <dest-ip-address> <mask>
}]
or
redirect <interface-type> <interface-id> { any
| host <src-ip-address> | <src-ip-address>
<mask> } [ { any | host <dest-ip-
address> | <dest-ip-address> <mask> } ]
Configure a deny CL rule or permit
CL rule or redirect CL rule.
The source and destination IP
addresses are provided with the
keyword host.
The keyword any is used to refer to any
IP addresses.
To configure a network IP, address and
mask could be provided.
redirect CL rule needs additional
<interface-type> <interface-id
>
parameters to define the port to which
the packets matching this CL rule need
to be redirected.
Step 4
show access
-
lists
D
isplay
s
the configured CL rule
Step 5
write
startup
-
config
Optional step
–
Save
s
this CL
configuration to be part of startup
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
16
configuration.
Every CL
is
applied
to
all ports by default. If any CL needs to be applied only
to
particular
ports, it needs to be configured as described in section pplying IP CL to Interfaces.
The examples below show different ways to create IP Standard CLs.
Create a deny IP Standard ACL with ACL number 100 to deny all traffic from IP 172.10.10.10 to IP
172.10.10.1
SMIS# configure terminal
SMIS(config)# ip access-list standard 100
SMIS(config-std-nacl)# deny host 172.10.10.10 host 172.10.10.1
Create a permit IP Standard ACL with ACL name acl_cw3 to permit all traffic from IP 172.10.10.1
SMIS# configure terminal
SMIS(config)# ip access-list standard acl_cw3
SMIS(config-std-nacl)# permit host 172.10.10.1 any
Create a redirect IP Standard ACL to redirect all packets from subnet 172.20.20.X going to IP
172.20.0.1 to interface gi 0/10.
SMIS# configure terminal
SMIS(config)# ip access-list standard 1
SMIS(config-std-nacl)# redirect gi 0/10 172.20.20.0 255.255.255.0 host 172.20.0.1
1.5.2 odifying IP Standard ACLs
To modify a configured IP Standard CL, follow the same steps used to create a IP Standard CL. When
users modify an CL with a deny, permit or redirect rule, the previously configured rule and its
parameters for that CL will be completely overwritten with the newly provided rules and parameters.
The example below shows an IP Standard CL rule 50 being created and then modified with different
parameters.
SMIS# configure terminal
SMIS(config)# ip access-list standard 50
SMIS(config-std-nacl)# deny 172.10.0.0 255.255.0.0 any
# Modify this CL rule 50 to deny traffic destined to a particular host IP instead of to any.
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
17
SMIS# configure terminal
SMIS(config)# ip access-list standard 50
SMIS(config-std-nacl)# deny 172.10.0.0 255.255.0.0 host 172.50.0.1
1.5.3 Removing IP Standard ACLs
Follow the below steps to remove M C Extended CLs.
Step Command escription
Step 1
configure terminal
Enter
s
the configuration mode
Step 2
no ip
access
-
list standar
d
{ <
access-list-
number(1-32768)r> | <access-list-name> }
Delete
s
an IP Standard CL using
no ip
-
access-list standard command.
access-list-number – the CL number
that needs to be deleted
access-list-name – the name of the
CL that needs to be deleted
Step 3
show acce
ss
-
lists
D
isplay
s
the configured CL rules to
make sure the deleted CL is removed
properly
Step 4
write startup
-
config
Optional step
–
Save
s
this CL
configuration to be part of startup
configuration.
The example below shows how to remove an IP Standard CL .
SMIS# configure terminal
SMIS(config)# no ip access-list standard 50
1.5.4 Applying IP ACLs to Interfaces
IP Standard and Extended CLs are applied to all physical interfaces by default. If users prefer to apply
any IP Standard or Extended CL only to certain ports, the steps below need to be followed.
Adding an IP Standard / Extended ACL to a port
Step Command escription
Step 1
configure terminal
Enter
s
the configuration mode
Step 2
i
nterface
<interface-type> <interface-id>
or
interface range <interface-type> <interface-id>
….
Defines t
he port or port lists on which
this IP Standard / Extended CL needs
to be applied
Step 3
ip access
-
group
{ <access-list-number (1-
65535)> | <access-list-name>
dd
s
the
IP Standard /
Extended CL to
this port
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
18
access-list-number – the CL number
that needs to be added
access-list-name – the name of the
CL which needs to be added
Step 4
show access
-
lists
D
isplay
s
the configured CL rules to
make sure this port has added the
required CL
Step 5
write startup
-
config
Optional step
–
Save
s
this CL
configuration to be part of startup
configuration
The example below shows applying an IP Standard CL rule 100 to ports gi 0/1 and gi 0/10.
SMIS# configure terminal
SMIS(config)# interface gi 0/1
SMIS(config-if)# ip access-group 100
SMIS(config-if)# exit
SMIS(config)# int gi 0/10
SMIS(config-if)# ip access-group 100
Removing an IP Standard / Extended ACL from a port
Step Command escription
Step 1
configure
terminal
Enter
s
the configuration mode
Step 2
i
nterface
<interface-type> <interface-
id>
or
interface range <interface-type> <interface-id>
….
The port or port lists from which this
M C Extended CL needs to be
removed
Step 3
no ip access
-
group
[
{ <access-list-number (1-
65535)> | <access-list-name> } ]
Remove
s
the
IP Standard /
Extended
CL from this port
access-list-number – the CL number
that needs to be removed from this
interface
access-list-name – the name of the
CL that needs to be removed from this
interface
Step 4
show access
-
lists
D
isplay
s
the configured CL rules to
make sure this port has been removed
from the required CL
Step 5
write startup
-
config
Optional step
–
Save
s
this CL
configuration to be part of startup
configuration.
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
19
1.
When an IP Standard / Extended CL is removed from all the ports it was applied
to
,
that CL will become a switch wide CL (applied to all physical ports).
2. IP Standard and Extended CLs can be added only to physical ports like gi, ex or qx
ports. CLs cannot be added to Layer 3 vlan interfaces or port channel interfaces.
3. n IP Standard / Extended CL can be applied to many ports by following the above
steps. Same way many IP Standard / Extended CLs can be applied on a single port.
The example below shows the commands for removing an IP Extended CL from a port.
SMIS# configure terminal
SMIS(config)# int gi 0/1
SMIS(config-if)# no ip access-group 100
1.5.5 Displaying IP Standard ACLs
Step Command escription
Step 1
show access
-
lists
or
show access-lists ip { <access-list-number (1-
32768)> | <access-list-name> ]
Enter
s
the configuration mode
access-list-number – the CL number
that needs to be displayed
access-list-name – the name of the
CL that needs to be displayed
The show command displays the following information for every IP Standard CL.
Source IP ddress
Configured source host or
subnet IP address. Displays 0.0.0.0 for any
source IP.
Source IP ddress
Mask
Configured source subnet IP mask. For host IP address, the mask will be
displayed as 255.255.255.255.
Destination IP
ddress
Configured destination host or subnet IP address. D
isplays 0.0.0.0 for
any destination IP.
Destination IP
ddress Mask
Configured destination subnet IP mask. For host IP address, the mask will
be displayed as 255.255.255.255.
In Port List
The list of ports this CL is applied
to
. If it is applied
to
all ports, this will
be NIL.
Filter ction
Configured CL action rule
–
deny
,
permit
or
redirect
Status
Current status of the CL. The status
should normally
be
active
. In case
of configuration errors, the CL status may be inactive.
ACL Configuration Guide
Supermicro L2/L3 Switches Configuration Guide
20
The example below displays an IP Standard ACL
SMIS# show access-lists ip 1
Standard IP ccess List 1
----------------------------
Source IP address : 172.20.20.0
Source IP address mask : 255.255.255.0
Destination IP address : 172.20.0.1
Destination IP address mask : 255.255.255.255
In Port List : NIL
Filter ction : Redirect to Gi0/10
Status : ctive
1.5.6 IP Standard ACL Configuration Example 1
This example describes the commands required to implement the following CL requirements on the
network setup shown in Figure CL-2.
CL 1 – Deny all traffic going from 172.20.0.0 network to 172.100.0.0 network, but allow only server
172.20.20.1 to access the 172.100.0.1 gateway.
CL 2 – Redirect all traffic destined to IP 172.10.0.0 network to server 172.10.10.10.
Figure ACL-2: IP Standard ACL Example 1
ACL 1 Configuration
This CL has two rules; one to allow traffic from 172.20.20.1 and the other to deny all traffic from the
172.20.0.0 network.
permit rule needs to be created first.
SMIS# configure terminal
SMIS(config)# ip access-list standard acl_1a
SMIS(config-std-nacl)# permit host 172.20.20.1 host 172.100.0.1
172.100.0.0
Network
Server
172.10.10.10
Gateway
172.100.0.1
Gi 0/10
172.20.0.0
Network
Switch
Gi 0/1
Other manuals for L2
10
This manual suits for next models
1
Other Supermicro Switch manuals
Supermicro
Supermicro SuperBlade SBM-GEM-X2C+ User manual
Supermicro
Supermicro L2 User manual
Supermicro
Supermicro SSE-G24-TG4 User manual
Supermicro
Supermicro L2 User manual
Supermicro
Supermicro SSE-G2252 User manual
Supermicro
Supermicro SuperBlade HDR 200G User manual
Supermicro
Supermicro SSE-G48-TG4 User manual
Supermicro
Supermicro SSE-X3348T/R User manual
Supermicro
Supermicro SSE-C3632S User manual
Supermicro
Supermicro SSE-G24-TG4 User manual
Supermicro
Supermicro SSE-G48-TG4 User manual
Supermicro
Supermicro SSH-C48Q User manual
Supermicro
Supermicro L2 User manual
Supermicro
Supermicro SSH-C48Q User manual
Supermicro
Supermicro L2 User manual
Supermicro
Supermicro SSE-G24-TG4 User manual
Supermicro
Supermicro SSE-G24-TG4 User manual
Supermicro
Supermicro SSE-G24-TG4 User manual
Supermicro
Supermicro SSE-G24-TG4 User manual
Supermicro
Supermicro SSH-C48Q User manual
