Table of Contents
Advertisement
Management ACL Commands
Dell EMC Networking N1100-ON/N1500/N2000/N2100-
ON/N3000/N3100-ON/N4000 Series Switches
In order to ensure the security of the switch management features, the
administrator may elect to configure a management access control list. The
Management Access Control and Administration List (ACAL) component is
used to ensure that only known and trusted devices are allowed to remotely
manage the switch via TCP/IP. Management ACLs are only configurable on
IP (in-band) interfaces, not on the out-of-band interface or the serial port,
and only filter packets sent to the switch CPU. Packets that are forwarded by
the switch are not filtered by Management ACLs. Management ACLs filter
packets in firmware after all hardware based ACLs (ip access-list and ipv6
access-list) have been applied. This allows the administrator to configure
hardware based filtering criteria for in-band management access and then
further refine that criteria with firmware based filtering supplied by the
management ACL capability.
When a Management ACAL is enabled, incoming TCP packets initiating a
connection (TCP SYN) and UDP packets will be filtered based on their
source IP address and destination port. Additionally, other attributes such as
incoming port (or port-channel) and VLAN ID can be used to determine if
the traffic should be allowed access to the management interface. When the
Management Access Control component is disabled, incoming TCP/UDP
packets are not filtered in firmware and are processed normally. TCP SYN
packets or UDP packets addressed to the following destination port numbers
are not processed by the management ACL list: DNS(53), DHCP Server(67),
DHCP Client (68), TFTP(69), telnet(23), HTTP(80), HTTPS(443),
SNMP(161), SSH(22), and JAVA(4242).
There is also an option to restrict all the above packets from the network
interface. This is done by specifying "console only" in the MACAL
component. If this option is enabled, the system management interface is
only accessible via the serial port. All TCP SYN packets and UDP packets are
dropped except UDP packets sent to the ports listed above.
Commands in this Section
This section explains the following commands:
1036
Security Commands
Advertisement
Table of Contents
