Home » Netgear Manuals » Hubs & Switches » Netgear MS510TXPP » Manual Viewer

Netgear MS510TXPP User Manual - Page 336

Access Control Lists (ACLs), Sample MAC ACL Configuration

Add to My Manuals
Save this manual to your list of manuals

Page 336 highlights

Smart Managed Pro Switches MS510TX and MS510TXPP • If an untagged packet enters port 4, the switch tags it with VLAN ID 20. The packet can access port 5 and port 6. The outgoing packet is stripped of its tag to become an untagged packet as it leaves port 6. For port 5, the outgoing packet leaves as a tagged packet with VLAN ID 20. Access Control Lists (ACLs) ACLs ensure that only authorized users can access specific resources while blocking off any unwarranted attempts to reach network resources. ACLs are used to provide traffic flow control, restrict contents of routing updates, decide which types of traffic are forwarded or blocked, and provide security for the network. ACLs are normally used in firewall routers that are positioned between the internal network and an external network, such as the Internet. They can also be used on a router positioned between two parts of the network to control the traffic entering or exiting a specific part of the internal network. The added packet processing required by the ACL feature does not affect switch performance. That is, ACL processing occurs at wire speed. Access lists are sequential collections of permit and deny conditions. This collection of conditions, known as the filtering criteria, is applied to each packet that is processed by the switch or the router. The forwarding or dropping of a packet is based on whether or not the packet matches the specified criteria. Traffic filtering requires the following two basic steps: 1. Create an access list definition. The access list definition includes rules that specify whether traffic matching the criteria is forwarded normally or discarded. Additionally, you can assign traffic that matches the criteria to a particular queue or redirect the traffic to a particular port. A default deny all rule is the last rule of every list. 2. Apply the access list to an interface in the inbound direction. The switch allow ACLs to be bound to physical ports and LAGs. The switch supports MAC ACLs, IPv4 ACLS, and IPv6 ACLs. Sample MAC ACL Configuration The following example shows how to create a MAC-based ACL that permits Ethernet traffic from the Sales department on specified ports and denies all other traffic on those ports. 1. On the MAC ACL page, create an ACL with the name Sales_ACL for the Sales department of your network (see Configure a Basic MAC ACL on page 265). By default, this ACL is bound on the inbound direction, which means that the switch examines traffic as it enters the port. 2. On the MAC Rules page, create a rule for the Sales_ACL with the following settings: Configuration Examples 336 User Manual

Section	Page
8-Port Multi-Gigabit Smart Managed Pro Switch with Two 10G Ports	1
Contents	4
1 Get Started	10
Switch Descriptions	11
Available Publications	11
Switch Management Methods	11
Web Browser Requirements and Supported Browsers	12
User-Defined Fields	13
Interface Naming Conventions	13
Access the Switch	14
Access the Switch On-Network With a DHCP Server	14
Access the Switch On-Network Without a DHCP Server	16
Access the Switch Off-Network	18
Register the Switch	19
How to Configure Interface Settings	19
Local Browser Interface Device View	21
2 Configure System Information	25
View and Configure the Switch Management Settings	26
View or Define System Information and View Software Versions	26
View the System CPU Status	28
View USB Device Information	29
Configure the IPv4 Address for the Network Interface and Management VLAN	30
Configure the IPv6 Address for the Network Interface	32
View the IPv6 Network Neighbor	33
Configure the Time Settings	34
Configure DNS Settings	44
Configure Green Ethernet Settings	47
Use the Device View	52
Configure Power over Ethernet	53
PoE Overview	53
Device Class Power Requirements	54
Power Allocation and Power Budget	54
Configure the Global PoE Settings	56
Manage and View the PoE Port Configuration	57
Configure SNMP	59
Configure the SNMPv1/v2 Community	60
Configure SNMPv1/v2 Trap Settings	62
Configure SNMPv1/v2 Trap Flags	64
View the Supported MIBs	65
Configure SNMPv3 Users	65
Configure LLDP	66
Configure LLDP Global Settings	67
Configure LLDP Port Settings	68
LLDP-MED Network Policy	70
LLDP-MED Port Settings	71
Local Information	72
Neighbors Information	74
Configure DHCP Snooping	77
Configure the Global DHCP Snooping Settings	78
Enable DHCP for All Interfaces in a VLAN	79
Configure DHCP Snooping Interface Settings	79
Configure Static DHCP Bindings	80
Configure the DHCP Snooping Persistent Settings	82
Set Up PoE Timer Schedules	82
Create a PoE Timer Schedule	83
Specify the Settings for a PoE Timer Schedule	84
Add a Periodic Schedule for a PoE Timer Schedule	85
Delete a Periodic Schedule for a PoE Timer Schedule	86
Delete a PoE Timer Schedule	87
3 Configure Switching	88
Configure Port Settings and Flow Control	89
Configure IEEE 802.3x Global Flow Control	89
Configure the Port Settings	90
Configure Link Aggregation Groups	91
Configure LAG Settings	92
Configure LAG Membership	94
Set the LACP System Priority	95
Set the LACP Port Priority Settings	95
Configure VLANs	96
Configure VLAN Settings	97
Configure VLAN Membership	99
View VLAN Status	101
Configure Port PVID Settings	102
Configure MAC-Based VLAN Groups	104
Manually Add Members to or Remove Them From a MAC-Based VLAN Group	106
Configure Protocol-Based VLAN Groups	106
Manually Add Members to or Remove Them From a Protocol-Based VLAN Group	108
Configure GARP Switch Settings	109
Configure GARP Ports	110
Configure a Voice VLAN	112
Configure the Global Voice VLAN Settings	112
Configure Membership for the Voice VLAN	113
Manage the OUI Table	114
Configure Auto-VoIP	116
Configure Spanning Tree Protocol	117
Configure STP Settings	118
Configure CST Settings	120
Configure CST Port Settings	122
View the CST Port Status	123
View Rapid STP Information	124
Manage MST Settings	125
Configure MST Port Settings	128
View STP Statistics	130
Configure Multicast	131
View the MFDB Table	132
View the MFDB Statistics	133
Configure Auto-Video	134
IGMP Snooping Overview	135
Configure the Global IGMP Snooping Settings	135
View the IGMP Snooping Table	137
Configure IGMP Snooping for VLANs	138
Modify IGMP Snooping Settings for a VLAN	139
Disable IGMP Snooping on a VLAN and Remove It From the Table	139
IGMP Snooping Querier Overview	140
Configure IGMP Snooping Querier	140
Configure IGMP Snooping Querier for VLANs	141
Display the IGMP Snooping Querier for VLAN Status	142
MLD Snooping Overview	143
Configure the Global MLD Snooping Settings	144
Configure MLD Snooping for a VLAN	144
Configure a Multicast Router Interface on a VLAN	146
Configure MLD Snooping Querier	147
Configure MLD Snooping Querier VLAN Settings	148
Configure a Multicast Group	149
Remove a Multicast Group	150
Configure Multicast Group Membership	151
Configure the Multicast Forward All Option	152
View, Search, and Manage the MAC Address Table	153
View and Search the MAC Address Table	154
Change the Aging-Out Period of Dynamic MAC Addresses	155
Add a Static MAC Address	156
Remove a Static MAC Address	156
4 Configure Routing	158
IP Routing Overview	159
Configure IP Settings	159
Configure the Routing Settings	159
View the IP Statistics	160
Configure VLAN Routing	163
Use the VLAN Static Routing Wizard	164
VLAN Routing Configuration	165
Manage IPv4 Routes	166
Configure Address Resolution Protocol	168
Display the ARP Cache	168
Add an Entry to the ARP Table	169
Configure the Global Aging-Out Time for ARP	170
Remove an ARP Entry From the ARP Cache	171
Configure IPv6	173
Configure IPv6 Global Settings	173
Add a Static IPv6 Route	174
Change the Preference for a Static IPv6 Route	175
Remove a Static IPv6 Route	176
View the IPv6 Route Table	177
Configure IPv6 VLAN Interface Settings	178
Add an IPv6 Global Address to an IPv6 VLAN	180
Change the Settings for an IPv6 Global Address on an IPv6 VLAN	182
Remove an IPv6 Global Address From an IPv6 VLAN	183
Add an IPv6 Prefix for Advertisement on an IPv6 VLAN	183
Change the Settings for an IPv6 Prefix for Advertisement on an IPv6 VLAN	185
Remove an IPv6 Prefix From an IPv6 VLAN	185
View IPv6 Statistics for an Interface	186
View or Clear the IPv6 Neighbor Table	188
5 Configure Quality of Service	190
Manage Class of Service	191
CoS Configuration	191
Configure Global CoS Settings	192
Configure CoS Interface Settings for an Interface	192
Configure the Global CoS Queue Settings	194
Configure the Global 802.1p to Queue Mapping	195
DSCP to Queue Mapping	196
Manage Differentiated Services	197
DiffServ Overview	198
View the Global DiffServ Resources	199
Specify DSCP Remark Values for Violate Action IP Packets	199
Configure IPv4 DiffServ Classes	201
Configure an IPv6 DiffServ IPv6 Classes	205
Configure a DiffServ Policy	209
Configure DiffServ Service Interfaces	214
View DiffServ Service Statistics	215
6 Manage Device Security	217
Management Security Settings	218
Change the Password	218
Reset the Password to the Factory Default Value	219
Configure RADIUS Servers	220
Configure TACACS+ Servers	226
Configure Authentication Lists	229
Configure Management Access	232
Configure HTTP Settings	232
Configure HTTPS Settings	233
Manage the Certificate	234
Configure Access Control	237
Configure Port Authentication	243
Configure Global 802.1X Settings	243
Manage Port Authentication	245
View the Port Summary	247
View the Client Summary	249
Set Up Traffic Control	250
Configure Storm Control	250
Configure Port Security	251
Configure Protected Ports	254
Configure Private VLANs	254
Configure Access Control Lists	259
Use the ACL Wizard to Create a Simple ACL	260
Configure a Basic MAC ACL	265
Configure MAC ACL Rules	267
Configure MAC Bindings	271
View or Delete MAC ACL Bindings in the MAC Binding Table	273
Configure an IP ACL	274
Configure Rules for a Basic IP ACL	275
Configure Rules for an Extended IP ACL	278
Configure an IPv6 ACL	283
Configure IPv6 Rules	284
Configure IP ACL Interface Bindings	288
View or Delete IP ACL Bindings in the IP ACL Binding Table	290
7 Monitor the System	292
Monitor the Switch and the Ports	293
Switch Statistics	293
View Port Statistics	294
View Detailed Port Statistics	297
View EAP Statistics	300
Perform a Cable Test	302
Configure and View Logs	303
Manage the Buffered Logs	304
Manage the Flash Log	305
Manage the Server Log	307
View the Trap Logs	309
Configure Port Mirroring	310
View the System Resource Utilization	311
8 Maintain the Switch and Perform Troubleshooting	313
Reboot the Switch	314
Reset the Switch to Its Factory Default Settings	314
Export a File From the Switch	315
Export a File to the TFTP Server	315
HTTP File Export	317
Export a File From the Switch to a USB Device	318
Download a File to the Switch	319
Download a File to the Switch Using TFTP	319
Download a File to the Switch Using HTTP	321
Download a File From a USB Device	322
Manage Files	323
Change the Image That Loads During the Boot Process	323
View the Dual Image Status	324
Troubleshooting	325
Ping an IPv4 Address	325
Ping an IPv6 Address	328
Send an IPv4 Traceroute	329
Send an IPv6 Traceroute	330
Generate Technical Support Information	331
Enable Remote Diagnostics	332
A Configuration Examples	333
Virtual Local Area Networks (VLANs)	334
VLAN Configuration Examples	335
Access Control Lists (ACLs)	336
Sample MAC ACL Configuration	336
Sample Standard IP ACL Configuration	337
Differentiated Services (DiffServ)	338
Class	339
DiffServ Traffic Classes	339
Creating Policies	340
DiffServ Example Configuration	341
802.1X	342
802.1X Example Configuration	344
MSTP	345
MSTP Example Configuration	347
VLAN Routing Interface Configuration Example	349
B Hardware Specifications and Default Settings	351
Hardware Specifications	352

Match case Limit results 1 per page

Smart Managed Pro Switches MS510TX and MS510TXPP

Configuration Examples

User Manual

336

•

If an untagged packet enters port 4, the switch tags it with VLAN ID 20. The packet

can access port 5 and port 6. The outgoing packet is stripped of its tag to become an

untagged packet as it leaves port 6. For port 5, the outgoing packet leaves as a

tagged packet with VLAN ID 20.

Access Control Lists (ACLs)

ACLs ensure that only authorized users can access specific resources while blocking off any

unwarranted attempts to reach network resources.

ACLs are used to provide traffic flow control, restrict contents of routing updates, decide

which types of traffic are forwarded or blocked, and provide security for the network. ACLs

are normally used in firewall routers that are positioned between the internal network and an

external network, such as the Internet. They can also be used on a router positioned between

two parts of the network to control the traffic entering or exiting a specific part of the internal

network. The added packet processing required by the ACL feature does not affect switch

performance. That is, ACL processing occurs at wire speed.

Access lists are sequential collections of permit and deny conditions. This collection of

conditions, known as the filtering criteria, is applied to each packet that is processed by the

switch or the router. The forwarding or dropping of a packet is based on whether or not the

packet matches the specified criteria.

Traffic filtering requires the following two basic steps:

Create an access list definition.

The access list definition includes rules that specify whether traffic matching the criteria is

forwarded normally or discarded. Additionally, you can assign traffic that matches the

criteria to a particular queue or redirect the traffic to a particular port. A default

deny all

rule is the last rule of every list.

Apply the access list to an interface in the inbound direction.

The switch allow ACLs to be bound to physical ports and LAGs. The switch supports MAC

ACLs, IPv4 ACLS, and IPv6 ACLs.

Sample MAC ACL Configuration

The following example shows how to create a MAC-based ACL that permits Ethernet traffic

from the Sales department on specified ports and denies all other traffic on those ports.

On the MAC ACL page, create an ACL with the name Sales_ACL for the Sales

department of your network (see

onfigur

Basic

page

265

By default, this ACL is bound on the inbound direction, which means that the switch

examines traffic as it enters the port.

On the MAC Rules page, create a rule for the Sales_ACL with the following settings: