beautypg.com

Applying egress acls to control (cpu) traffic, Preserving user input for acl tcp/udp port numbers – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 122

background image

NOTE
The dscp-cos-mapping option is supported on FSX devices only.

The dscp-marking option enables you to configure an ACL that marks matching packets with a
specified DSCP value. Enter a value from 0 - 63. Refer to

Using an IP ACL to mark DSCP values

(DSCP marking)

on page 137.

The dscp-matching option matches on the packet’s DSCP value. Enter a value from 0 - 63. This
option does not change the packet’s forwarding priority through the device or mark the packet. Refer
to

DSCP matching

on page 140.

The log parameter enables SNMP traps and Syslog messages for inbound packets denied by the
ACL:

• You can enable logging on inbound ACLs and filters that support logging even when the ACLs and

filters are already in use. To do so, re-enter the ACL or filter command and add the log parameter
to the end of the ACL or filter. The software replaces the ACL or filter command with the new one.
The new ACL or filter, with logging enabled, takes effect immediately.

The traffic-policy option enables the device to rate limit inbound traffic and to count the packets and
bytes per packet to which ACL permit or deny clauses are applied. For configuration procedures and
examples, refer to the chapter "Traffic Policies" in the FastIron Ethernet Switch Traffic Management
Guide .

Configuration example for extended named ACLs

To configure an extended named ACL, enter the ip access-list extended ACL_name command.

device(config)#ip access-list extended "block Telnet"

device(config-ext-nACL)#deny tcp host 10.157.22.26 any eq telnet log

device(config-ext-nACL)#permit ip any any

device(config-ext-nACL)#exit

device(config)#int eth 1/1

device(config-if-1/1)#ip access-group "block Telnet" in

The options at the ACL configuration level and the syntax for the ip access-group command are the
same for numbered and named ACLs and are described in

Extended numbered ACL configuration

on

page 112 and

Extended numbered ACL configuration

on page 112.

Applying egress ACLs to Control (CPU) traffic

By default, outbound ACLs are not applied to traffic generated by the CPU. This must be enabled
using the enable egress-acl-on-control-traffic command.

Syntax: enable egress-acl-on-control-traffic

Preserving user input for ACL TCP/UDP port numbers

ACL implementations automatically display the TCP/UDP port name instead of the port number,
regardless of user preference, unless the device is configured to preserve user input. When the option
to preserve user input is enabled, the system will display either the port name or the number.

Applying egress ACLs to Control (CPU) traffic

122

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: