beautypg.com

Layer 2 devices only) – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 131

background image

202, 203, and 204, but not 300, 401, 600, and 900. See the release notes for a list of supported
modules.

• Brocade devices do not support a globally-configured PBR policy together with per-port-per-VLAN

ACLs.

• IPv4 ACLs that filter based on VLAN membership or VE port membership (ACL-per-port-per-VLAN),

are supported together with IPv6 ACLs on the same device, as long as they are not bound to the
same port or virtual interface.

Applying an IPv4 ACL to specific VLAN members on a port (Layer 2
devices only)

NOTE
This section applies to IPv4 ACLs only. IPv6 ACLs do not support ACL filtering based on VLAN
membership.

When you bind an IPv4 ACL to a port, the port filters all inbound traffic on the port. However, on a
tagged port, there may be a need to treat packets for one VLAN differently from packets for another
VLAN. In this case, you can configure a tagged port on a Layer 2 device to filter packets based on the
packets’ VLAN membership.

To apply an IPv4 ACL to a specific VLAN on a port, enter commands such as the following.

device(config)#enable ACL-per-port-per-vlan

...

device(config)#vlan 12 name vlan12

device(config-vlan-12)#untag ethernet 5 to 8

device(config-vlan-12)#tag ethernet 23 to 24

device(config-vlan-12)#exit

device(config)#access-list 10 deny host 10.157.22.26 log

device(config)#access-list 10 deny 10.157.29.12 log

device(config)#access-list 10 deny host IPHost1 log

device(config)#access-list 10 permit

device(config)#int e 1/23

device(config-if-e1000-1/23))#per-vlan 12

device(config-if-e1000-1/23-vlan-12))#ip access-group 10 in

NOTE
The enable ACL-per-port-per-vlan command must be followed by the write-memory and reload
commands to place the change into effect.

The commands in this example configure port-based VLAN 12, and add ports e 5 - 8 as untagged ports
and ports e 23 - 24 as tagged ports to the VLAN. The commands following the VLAN configuration
commands configure ACL 10. Finally, the last three commands apply ACL 10 on VLAN 12 for which
port e 23 is a member.

Syntax: [no] enable ACL-per-port-per-vlan VLAN-ID

Syntax: [no] ip access-group ACL-ID

The VLAN ID parameter specifies the VLAN name or number to which you will bind the ACL.

The ACL ID parameter is the access list name or number.

Applying an IPv4 ACL to specific VLAN members on a port (Layer 2 devices only)

FastIron Ethernet Switch Security Configuration Guide

131

53-1003088-03

See also other documents in the category Brocade Computer Accessories: