Security Commands 1036Management ACL CommandsDell EMC Networking N1100-ON/N1500/N2000/N2100-ON/N3000/N3100-ON/N4000 Series SwitchesIn order to ensure the security of the switch management features, theadministrator may elect to configure a management access control list. TheManagement Access Control and Administration List (ACAL) component isused to ensure that only known and trusted devices are allowed to remotelymanage the switch via TCP/IP. Management ACLs are only configurable onIP (in-band) interfaces, not on the out-of-band interface or the serial port,and only filter packets sent to the switch CPU. Packets that are forwarded bythe switch are not filtered by Management ACLs. Management ACLs filterpackets in firmware after all hardware based ACLs (ip access-list and ipv6access-list) have been applied. This allows the administrator to configurehardware based filtering criteria for in-band management access and thenfurther refine that criteria with firmware based filtering supplied by themanagement ACL capability.When a Management ACAL is enabled, incoming TCP packets initiating aconnection (TCP SYN) and UDP packets will be filtered based on theirsource IP address and destination port. Additionally, other attributes such asincoming port (or port-channel) and VLAN ID can be used to determine ifthe traffic should be allowed access to the management interface. When theManagement Access Control component is disabled, incoming TCP/UDPpackets are not filtered in firmware and are processed normally. TCP SYNpackets or UDP packets addressed to the following destination port numbersare not processed by the management ACL list: DNS(53), DHCP Server(67),DHCP Client (68), TFTP(69), telnet(23), HTTP(80), HTTPS(443),SNMP(161), SSH(22), and JAVA(4242).There is also an option to restrict all the above packets from the networkinterface. This is done by specifying “console only” in the MACALcomponent. If this option is enabled, the system management interface isonly accessible via the serial port. All TCP SYN packets and UDP packets aredropped except UDP packets sent to the ports listed above.Commands in this SectionThis section explains the following commands: