Service ACLs
26-16 Configuring Security Features
Refer to your platform’s CLI Reference for more information about each command.
Service ACLs
A Service Access Control List (SACL) can provide security for switch management features, by
ensuring that only known and trusted devices are allowed to remotely manage the switch via
TCP/IP.
A Service ACL can be applied to a specific host service, or to all supported host services. The
following host services are currently supported:
•HTTP
•HTTPS
•SNMP
•SSH
•Telnet
•TFTP
Service ACLs are applied to inbound traffic only. When a Service ACL is enabled, incoming TCP
packets initiating a connection (TCP SYN) and all UDP packets will be filtered based on their
source IP address and destination port. Additionally, other attributes such as incoming port and
VLAN ID can be used to determine if the traffic should be allowed to the management interface.
When the component is disabled, incoming TCP/UDP packets are not filtered and are processed
normally.
Only one Service ACL can be configured on the switch, with a maximum of 64 rules. The Service
ACL will not be actively used on the switch until it is activated with the set system service-class
command. Both IPv4 and IPv6 address rules are supported.
A trap is sent if a packet is dropped due to a service ACL rule hit. A trap will not be generated if
traffic is dropped due to the “console-only” option (see Restricting Management Access to the
Console Port below). The Enterasys Threat Notification MIB is used for trap generation.
Displays only the current TACACS+ session settings.
The [state] option is valid only for S-Series and Matrix
N-Series devices.
show tacacs session {authorization |
accounting} [state]
Displays only the current status for TACACS+
per-command authorization and accounting. The [state]
option is valid only for S-Series and Matrix N-Series
devices.
show tacacs command {accounting |
authorization} [state]
Displays only the current singleconnect status. The
[state] option is valid only for S-Series and Matrix
N-Series devices.
show tacacs singleconnect [state]
Displays the currently configured interface to use as the
source interface for TACACS+ packets, if one is
configured.
show tacacs interface
Table 26-8 TACACS+ Show Commands (continued)
Task Command
To Next Page
Loading...
Need help?
General