Mac-Based Vlans; Ip Access Lists (Acls); Access Masks; Access Lists - Extreme Networks ExtremeWare 7.2e Installation And User Manual

Security

MAC-Based VLANs

MAC-Based VLANs allow physical ports to be mapped to a VLAN based on the source MAC address
learned in the FDB. This feature allows you to designate a set of ports that have their VLAN
membership dynamically determined by the MAC address of the end station that plugs into the
physical port. You can configure the source MAC address-to-VLAN mapping either offline or
dynamically on the switch. For example, you could use this application for a roaming user who wants
to connect to a network from a conference room. In each room, the user plugs into one of the designated
ports on the switch and is mapped to the appropriate VLAN. Connectivity is maintained to the network
with all of the benefits of the configured VLAN in terms of QoS, routing, and protocol support.
Detailed information about configuring and using MAC-based VLANs can be found in Chapter 5.

IP Access Lists (ACLs)

Each access control list (ACL) consists of an access mask that selects which fields of each incoming
packet to examine, and a list of values to compare with the values found in the packet. Access masks
can be shared multiple access control lists, using different lists of values to examine packets. The
following sections describe how to use access control lists.

Access Masks

There are sixteen access masks available in the Summit 400-48t, depending on which features are
enabled on the switch. Each access mask is created with a unique name and defines a list of fields that
will be examined by any access control list that uses that mask (and by any rate limit that uses the
mask).
To create an access mask, use the following command:
create access-mask <access-mask name> {dest-mac} {source-mac} {vlan} {tos
|code-point} {ethertype} {ipprotocol} {dest-ip/<mask length>} {source-L4port |
{icmp-type} {icmp-code}} {permit-established} {egresport} {ports} {precedence
<number>}
You can also display or delete an access mask. To display information about an access mask, use the
following command:
show access-mask {<name>}
To delete an access mask, use the following command:
delete access-mask <name>

Access Lists

Access control lists are used to perform packet filtering and forwarding decisions on incoming traffic.
Each packet arriving on an ingress port is compared to the access list in sequential order and is either
forwarded to a specified QoS profile or dropped. These forwarded packets can also be modified by
changing the 802.1p value and/or the DiffServ code point. Using access lists has no impact on switch
performance.
The Summit 400-48t supports up to 16 access lists. Each entry that makes up an access list contains a
unique name and specifies a previously created access mask. The access list also includes a list of values
142 ExtremeWare 7.2e Installation and User Guide