Enterasys C3 Configuration Guide 35-1
35
Configuring Service Access Control Lists
This chapter describes how to configure and apply Service Access Control Lists (ACLs). For
information about router mode ACLs, refer to Chapter 34, Configuring Access Control Lists.
About Service Access Control Lists
A Service Access Control List (SACL) can provide security for switch management features, by
ensuring that only known and trusted devices are allowed to remotely manage the switch via
TCP/IP.
A Service ACL can be applied to a specific host service, or to all supported host services. The
following host services are currently supported:
•HTTP
•HTTPS
•SNMP
•SSH
•Telnet
•TFTP
Service ACLs are applied to inbound traffic only. When a Service ACL is enabled, incoming TCP
packets initiating a connection (TCP SYN) and all UDP packets will be filtered based on their
source IP address and destination port. Additionally, other attributes such as incoming port and
VLAN ID can be used to determine if the traffic should be allowed to the management interface.
When the component is disabled, incoming TCP/UDP packets are not filtered and are processed
normally.
Only one Service ACL can be configured on the switch, with a maximum of 64 rules. The Service
ACL will not be actively used on the switch until it is activated with the set system service-class
command. Both IPv4 and IPv6 address rules are supported.
A trap is sent if a packet is dropped due to a service ACL rule hit. A trap will not be generated if
traffic is dropped due to the "console-only" option (see Restricting Management Access to the
Console Port below). The Enterasys Threat Notification MIB is used for trap generation.
Note: These commands can be executed in switch mode.
For information about... Refer to page...
About Service Access Control Lists 35-1
Commands 35-2
To Next Page
Loading...
Need help?
General