Configuring Service Access Control Lists Commands
35-2
Restricting Management Access to the Console Port
You can restrict access to system management to the switch’s serial port only. This is done using
the set system service-class console-only command. When console-only access is configured, all
TCP SYN packets and UDP packets are dropped, with the exception of UDP packets sent to the
DHCP Server or DHCP Client ports. Attempting to map a router ACL to a host service will fail.
Commands
set system service-acl
Use this command to create and add rules to a service access control list. Only a single list is
allowed in the system with a maximum of 64 rules.
Syntax
set system service-acl name {permit | deny} [ip-source ip-address [wildcard
wildcard-bits] | ipv6-source ipv6-address [wildcard /prefix-length]] [port port-
string | vlan vlan-id] [service service] [priority priority-value]
Parameters
For information about... Refer to page...
set system service-acl 35-2
show system service-acl 35-4
clear system service-acl 35-4
set system service-class 35-5
show system service-class 35-5
clear system service-class 35-6
name Specifies the name of the service ACL. If the ACL does not exist, it will
be created. The name can be up to 32 characters in length.
permit | deny Specifies the rule action.
ip-source ip-address (Optional) Specifies the IPv4 source address for the rule.
wildcard wildcard-bits (Optional) Specifies the bits to ignore in the IPv4 source address, in
dotted octet notation. A 0 indicates the address bits that should be
ignored, while a number indicates the bits that must be matched.
ipv6-source
ipv6-address
(Optional) Specifies the IPv6 source address for the rule.
wildcard /prefix-length (Optional) Specifies the number of bits (0-128) that comprise the source
IPv6 address prefix. The prefix length must be preceded by a forward
slash (/). If no prefix length value is specified, a prefix length of 128 bits
is assumed.
port port-string (Optional) Specifies a port for the rule.
vlan vlan-id (Optional) Specifies a VLAN for the rule.
To Next Page
Loading...
Need help?
General