Extreme SLX-OS Security Configuration Guide, 20.6.1
>
ACLs
> Layer 3 (IPv4 and IPv6) ACLs
Published August 29, 2024
Search this document
Print this page
Email this page
View PDF
Previous
Next
Preface
Text Conventions
Documentation and Training
Help and Support
Send Feedback
About this document
What‘s New in this Document
Supported Hardware
Securing GRUB
Securing GRUB
Enabling Password Protection for GRUB
User Accounts and Passwords
User account overview
Default accounts and roles
Account guidelines and limitations
Basic account management
Creating an admin-role account
Creating a user-role account
Modifying an account
Disabling an account
Unlocking an account
Deleting an account
Setting Password Expiry Alert
User-defined roles
User-defined-role overview
Role and rule limits
Creating or modifying a role
Deleting a role
Command-access rules
Rules for configuration commands
Rules for operational commands
Rules for interface commands
Configuring a placeholder rule
Rule-processing order
Adding a rule
Changing a rule
Deleting a rule
Advanced account management
Creating a non-default account
Creating an account with clock-restricted access
Configure an account to disable automatically
Configure an account with inactivity warning
Password policies
Password policies overview
Password strength policy
Password encryption policy
Account lockout policy
Denial of service implications
Configuring password policies
Configuring the account lockout threshold
Creating a password policy
Restoring the default password policy
Displaying password attributes
Password interaction with remote AAA servers
Security-event logs
User Accounts and Passwords Commands
ACLs
ACL overview
ACL application-targets
Interface ACLs and rACLs
ACLs applied to interfaces
ACL and rule limits
TCAM optimization
TCAM profiles
Specifying a TCAM profile
TCAM sharing
Enabling TCAM sharing
Layer 2 (MAC) ACLs
MAC ACL configuration guidelines
Basic Layer 2 ACLs and rules
Creating a standard MAC ACL
Creating an extended MAC ACL
Applying Layer 2 ACLs to interfaces
Applying a MAC ACL to a physical interface
Applying a MAC ACL to a LAG interface
Applying a MAC ACL to a VLAN interface
Removing a MAC ACL
Layer 2 ACL modification
Modifying MAC ACL rules
Reordering the sequence numbers in a MAC ACL
Advanced Layer 2 ACL rules and features
Creating MAC ACL rules enabled for counter statistics
Filtering by VLAN tag type (L2 ACLs)
Filter and Force PCP Values
Filtering by known-unicast-only and unknown-unicast-only
ACL logs
Enabling and configuring the ACL log buffer
Creating a MAC ACL rule enabled for logging
Enabling and configuring ACL Raslogs
Layer 2 ACL-based mirroring
Enabling L2 ACL rules for mirroring
Defining an ACL mirror port
Enabling L2 ACL rules for sFlow monitoring
ACL show and clear commands
Layer 3 (IPv4 and IPv6) ACLs
Implementation flows for rACLs and interface ACLs
Layer 3 ACL configuration guidelines
Basic Layer 3 ACLs and rules
Creating a standard IPv4 ACL
Creating a standard IPv6 ACL
Creating an extended IPv4 ACL
Creating an extended IPv6 ACL
Applying Layer 3 ACLs to interfaces or globally
Applying a Layer 3 ACL to a physical interface
Applying a Layer 3 ACL to a LAG interface
Applying a Layer 3 ACL to a VE interface
Applying a Layer 3 ACL to a VE interface (bridge-domain)
Applying a Layer 3 ACL to a VE interface for filtering ingress routed IPv4 traffic
Applying a Layer 3 ACL to the management interface
Removing a Layer 3 ACL from an interface
Applying rACLs to devices
Removing an rACL from a device
Layer 3 ACL modification
Modifying Layer 3 ACL rules
Reordering the sequence numbers in a Layer 3 ACL
Advanced Layer 3 ACL rules and features
Filter and Force DSCP Values (IPv4 ACLs)
Filtering and forcing DSCP values (IPv6 ACLs)
ACL logs
Enabling and configuring the ACL log buffer
Enabling IPv4 ACL rules for logging
Enabling IPv6 ACL rules for logging
Enabling and configuring ACL Raslogs
Layer 3 ACL-based mirroring
Enabling IPv4 ACL rules for mirroring
Enabling IPv6 ACL rules for mirroring
Defining an ACL mirror port
ACL counter statistics (Layer 3)
Creating an IPv4 ACL rule enabled for counter statistics
Creating an IPv6 ACL rule enabled for counter statistics
Enabling IPv4 ACL rules for sFlow monitoring
Enabling IPv6 ACL rules for sFlow monitoring
Disabling conflicting-rule check
Disabling duplicate-rule check
ACL show and clear commands
IP broadcast ACLs (bACLs)
Configuration guidelines for bACLs
Creating a standard bACL
Creating an extended bACL
Applying a bACL to a device
Applying a bACL to a physical interface
Applying a bACL to a VE interface
bACL configuration example
bACL show and clear commands
Connection Limiting on Management Interface
Policy-Based Routing
Policy-Based Routing Overview
Route maps
Configuring a PBR policy
Policy-based routing (IPv4)
Configuration considerations and guidelines for PBR
Configuring an IPv4 PBR with IPv4 address as the next hop
Configuring an IPv4 PBR with NULL0 interface as the next hop
Configuration examples for IPv6 policy based routing
Policy-Based Routing with differing next hops
Policy-Based Routing and NULL0 with match statements
Policy-Based Routing and NULL0 as route map default action
Policy-based routing (IPv6)
Configuring an IPv6 PBR with IPv6 address as the next hop
Configuring an IPv6 PBR with NULL0 interface as the next hop
Configuration examples for IPv6 policy based routing
Recursive Next Hop Resolution
Enabling Recursive Next Hop Resolution
Port MAC Security
Port MAC security overview
Port MAC security violation
Auto recovery for port MAC security violation
Port MAC security configuration guidelines and considerations
Configuring port MAC security
Displaying port MAC security information
802.1x authentication
802.1X authentication overview
Device roles in an 802.1X configuration
Communication between the devices
Controlled and uncontrolled ports
Message exchange during authentication
Authentication of multiple clients connected to the same port
How 802.1x multiple client authentication works
RADIUS attributes for authentication
Support for the RADIUS user-name attribute in Access-Accept messages
Dynamic VLAN assignment for 802.1X ports
Considerations for dynamic VLAN assignment in an 802.1X multiple client configuration
Dynamic ACLs and MAC address filters in authentication
Dynamically applying existing ACLs or MAC ACL
Strict security mode for dynamic filter assignment
802.1x readiness check
802.1X authentication enablement
Port control for authentication
802.1x client reauthentication options
Retransmission information for EAP-Request/Identity frames
Configuring 802.1x authentication
Displaying 802.1x information
Configuring Remote Server Authentication
Remote server authentication overview
Login authentication mode
Conditions for conformance
Configuring remote server authentication
Setting and verifying the login authentication mode
Resetting the login authentication mode
Changing the login authentication mode
Mutual Authentication Overview
RADIUS Server Authentication
RADIUS security
RADIUS Authentication
RADIUS Authorization
RADIUS Accounting
Account password changes
RADIUS authentication through management interfaces
Configuration of an interface as the source of RADIUS packets
Configuring server-side RADIUS support
Configuring a RADIUS server with Linux
Configuring a Windows IAS-based RADIUS server
Configuring RADIUS Server on a device
Adding a RADIUS server
Importing a RADIUS CA certificate
Modifying the RADIUS server configuration
Configuring the client to use RADIUS for login authentication
Enabling and disabling login accounting (RADIUS)
Enabling and disabling command accounting (RADIUS)
RADIUS two factor authentication support
RADIUS over TLS
Configuring Mutual Authentication for RADIUS
TACACS+ Server Authentication
Understanding and configuring TACACS+
TACACS+ authentication, authorization, and accounting
Supported TACACS+ packages and protocols
TACACS+ configuration components
Client configuration for TACACS+ support
Adding a TACACS+ server to the client server list
Modifying the client-side TACACS+ server configuration
Removing the client-side TACACS+ server configuration
Configuring the client to use TACACS+ for login authentication
Client configuration for TACACS+ authorization
Enabling command authorization
Client configuration for TACACS+ accounting
Client-side TACACS+ accounting overview
Conditions for conformance
Configuring TACACS+ accounting on the client
Enabling login accounting
Enabling command accounting
Disabling accounting
Viewing the TACACS+ accounting logs
Configuring TACACS+ on the server side
Server-side user account administration overview
Establishing a server-side user account
Changing a server-side TACACS+ account password
Defining a server-side TACACS+ group
Setting a server-side account expiration date
Configuring a TACACS+ server key
Configuring TACACS+ for the AAA user role
Configuring server-side rules for TACACS+ command authorization
Configuring TACACS+ for a mixed-vendor environment
Commands not supported for TACACS+ accounting
Key Chain Authentication
Key Chain Authentication Overview
Configure a Key Chain
Configure a Key Accept Tolerance
Configure a Key ID
Configure a Key Lifetime
Configure a Key Algorithm
Display Key Chain Configuration Details
Lightweight Directory Access Protocol
Understanding and configuring LDAP
User authentication
Server authentication
Server authorization
FIPS compliance
Configuring LDAP
Importing an LDAP CA certificate
Viewing the LDAP CA certificate
Configuring an Active Directory server on the client side
Adding an LDAP server to the client server list
Changing LDAP server parameters
Removing an LDAP server
Configuring Active Directory groups on the client side
Mapping an Active Directory group to a device role
Removing the mapping of an Active Directory to a device role
Configuring the client to use LDAP/AD for login authentication
Configuring an Active Directory server on the server side
Creating a user account on an LDAP/AD server
Verifying the user account on a device
Configuring LDAP users on a Windows AD server
LDAP over TLS
Configuring Mutual Authentication for LDAP
OAuth2 Authentication
OAuth2 Authentication
SLX Host PKI Certificate Expiry Alerts
HTTPS Certificates
HTTPS certificate overview
Configuring HTTPS certificates
Disabling HTTPS certificates
Enabling HTTPS service
Disabling HTTPS service
Configuring Mutual Authentication for HTTPS
Secure Shell
Secure Shell Overview
Configure SSH MAC
Removing an SSH MAC
Configure SSH Ciphers
Remove an SSH Cipher
Configure SSH Key-exchange
Remove an SSH key-exchange Algorithm
Configure SSH Host Key
Setting Supported TLS Version
Managing SSH Client Public Keys
Inline SSH Public Key Configuration
SSH Authentication with x.509 v3 Certificates
Two Factor SSH Authentication using CAC/PIV Card
TLS Server Certificate and Private Key with no Trust Point
TLS Server Certificate and Private Key with No Trust Point
VXLAN Visibility
VXLAN visibility overview
Overlay access list
Type of overlay access lists
Limitations and restrictions
Creating an overlay access list
Binding overlay access list
Displaying overlay access list information
Clearing overlay access list statistics
Mutual Authentication
Mutual Authentication Overview
Configuring Mutual Authentication for RADIUS
Configuring Mutual Authentication for LDAP
Configuring Mutual Authentication for SYSLOG
Configuring Mutual Authentication for HTTPS
Configuring Mutual Authentication for gNMI
BMC Configuration
Increase BMC Security
Change BMC User Password
Configure BMC LAN Interface
Reset BMC Configuration to Factory Defaults
Certificate Expiry Alert
Certificate Expiry Alert
Configure Certificate Expiry Alert
Disable processing of packets using IP Options
Disable processing of packets with IP options
Configure disable processing of IP packets for IPv4
Configure disable processing of IP packets for IPv6
Configure disable processing of IP packets with destination as CPU
Layer 3 (IPv4 and IPv6) ACLs
Layer 3 access control lists (ACLs) filter traffic based on IPv4 or IPv6 header fields.