Chapter 2. IBM System Networking Switch 10Gb Ethernet switch features 97
Figure 2-21 shows a typical message exchange initiated by the client.
Figure 2-21 Authenticating a port by using EAPoL
2.8.6 Access control lists
Access control lists (ACLs) are filters that permit or deny traffic for security purposes. They
can also be used with QoS to classify and segment traffic to provide different levels of service
to different traffic types. Each filter defines the conditions that must match for inclusion in the
filter, and also the actions that are performed when a match is made.
IBM System Networking switches running IBM Networking OS V6.8 support the
following ACLs:
Regular ACLs:
Up to 256 ACLs are supported for networks that use IPv4 addressing.
IPv6 ACLs:
Up to 128 ACLs are supported for networks that use IPv6 addressing.
VLAN Maps (VMaps):
Up to 128 VLAN Maps are supported for attaching filters to VLANs rather than ports.
98 Implementing IBM System Networking 10Gb Ethernet Switches
Summary of packet classifiers
You can use ACLs to classify packets according to various content in the packet header
(such as the source address, destination address, source port number, destination port
number, and others). Once classified, packet flows can be identified for more processing.
You can use regular ACLs, IPv6 ACLs, and VMaps to classify packets based on the following
packet attributes:
Ethernet header options (for regular ACLs and VMaps only)
– Source MAC address
– Destination MAC address
– VLAN number and mask
– Ethernet type (ARP, IP, IPv6, MPLS, RARP, and so on)
– Ethernet priority (the IEEE 802.1p priority)
IPv4 header options (for regular ACLs and VMaps only)
– Source IPv4 address and subnet mask
– Destination IPv4 address and subnet mask
– Type of Service value
– IP protocol number or name, as shown in Table 2-4
Table 2-4 Well-known protocol types
IPv6 header options (for IPv6 ACLs only)
– Source IPv6 address and prefix length
– Destination IPv6 address and prefix length
– Next Header value
– Flow Label value
– Traffic Class value
TCP/UDP header options (for all ACLs)
– TCP/UDP application source port and mask, as shown in Table 2-5
– TCP/UDP application destination port, as shown in Table 2-5
Table 2-5 Well-known application ports
Number Protocol name
1ICMP
2IGMP
6TCP
17 UDP
89 OSPF
112 VRRP
Port Application Port Application Port Application
20/udp ftp-data 79 finger 179 bgp
21 FTP 80 HTTP 194 irc
22 SSH 109 POP2 220 imap3
23 Telnet 110 POP3 389 ldap
25 SMTP 111 sunrpc 443 https
Chapter 2. IBM System Networking Switch 10Gb Ethernet switch features 99
TCP flag value, as shown in Table 2-6
Table 2-6 TCP flag values
Packet format (for regular ACLs and VMaps only)
– Ethernet format (eth2, SNAP, LLC)
– Ethernet tagging format
– IP format (IPv4, IPv6)
Egress port packets (for all ACLs)
Summary of ACL actions
After the packet flows are classified by using ACLs, they can be processed differently. For
each ACL, an action can be assigned. The action determines how the switch treats packets
that match the classifiers assigned to the ACL. ACL actions include the following actions:
Pass or Drop the packet
Remark the packet with a new DiffServ Code Point (DSCP)
Remark the 802.1p field
Set the COS queue
ACL order of precedence
When multiple ACLs are assigned to a port, they are evaluated in numeric sequence, based
on the ACL number. Lower-numbered ACLs take precedence over higher-numbered ACLs.
For example, ACL 1 (if assigned to the port) is evaluated first and has top priority.
If multiple ACLs match the port traffic, only the action of the one with the lowest ACL number
is applied. The others are ignored.
If no assigned ACL matches the port traffic, no ACL action is applied.
37 time 119 NNTP 520 rip
42 name 123 NTP 554 rtsp
43 whois 143 IMAP 1645/1812 RADIUS
53 domain 144 news 1813 RADIUS
accounting
69 TFTP 161 SNMP 1985 hsrp
70 gopher 162 snmptrap
Port Application Port Application Port Application
Flag Value
URG 0x0020
ACK 0x0010
PSH 0x0008
RST 0x0004
SYN 0x0002
FIN 0x0001
Get Implementing IBM System Networking 10Gb Ethernet Switches now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
