Filtering on ip precedence and tos values, Applying an ipv4 acl to a subset of – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 956

Advertising
background image

922

Brocade TurboIron 24X Series Configuration Guide

53-1003053-01

Filtering on IP precedence and ToS values

The <ACL ID> parameter is the access list name or number.

Applying an IPv4 ACL to a subset of ports on a virtual
interface (Layer 3 devices only)

You can apply an IPv4 ACL to a virtual routing interface. The virtual interface is used for routing
between VLANs and contains all the ports within the VLAN. The IPv4 ACL applies to all the ports on
the virtual routing interface. You also can specify a subset of ports within the VLAN containing a
specified virtual interface when assigning an ACL to that virtual interface.

Use this feature when you do not want the IPv4 ACLs to apply to all the ports in the virtual interface
VLAN or when you want to streamline IPv4 ACL performance for the VLAN.

NOTE

Before you can bind an IPv4 ACL to specific ports on a virtual interface, you must first enable support
for this feature. If this feature is not already enabled on your device, enable it as instructed in the
section

“Enabling ACL filtering based on VLAN membership or VE port membership”

on page 920.

To apply an ACL to a subset of ports within a virtual interface, enter commands such as the
following.

TurboIron(config)#vlan 10 name IP-subnet-vlan

TurboIron(config-vlan-10)#untag ethernet 1 to 12

TurboIron(config-vlan-10)#router-interface ve 1

TurboIron(config-vlan-10)#exit

TurboIron(config)#access-list 1 deny host 10.157.22.26 log

TurboIron(config)#access-list 1 deny 10.157.29.12 log

TurboIron(config)#access-list 1 deny host IPHost1 log

TurboIron(config)#access-list 1 permit any

TurboIron(config)#interface ve 1

TurboIron(config-vif-1)#ip access-group 1 in ethernet 1 ethernet 3 ethernet 4 to 5

The commands in this example configure port-based VLAN 10, add ports 1 – 12 to the VLAN, and
add virtual routing interface 1 to the VLAN. The commands following the VLAN configuration
commands configure ACL 1. Finally, the last two commands apply ACL 1 to a subset of the ports
associated with virtual interface 1.

Syntax: [no] ip access-group <ACL ID> in ethernet <portnum> [to <portnum> ]

The <ACL ID> parameter is the access list name or number.

Filtering on IP precedence and ToS values

To configure an extended IP ACL that matches based on IP precedence, enter commands such as
the following.

The first entry in this ACL denies TCP traffic from the 10.157.21.x network to the 10.157.22.x
network, if the traffic has the IP precedence option “internet” (equivalent to “6”).

TurboIron(config)#access-list 103 deny tcp 10.157.21.0/24 10.157.22.0/24

precedence internet

TurboIron(config)#access-list 103 deny tcp 10.157.21.0/24 eq ftp 10.157.22.0/24

precedence 6

TurboIron(config)#access-list 103 permit ip any any

Advertising
Popular Brands
Popular manuals