beautypg.com

Tcp flags - edge port security, Qos options for ip acls, Option set for the icmp-type parameter. see – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 135

background image

precedence 6

device(config)#access-list 103 permit ip any any

The first entry in this ACL denies TCP traffic from the 10.157.21.x network to the 10.157.22.x network, if
the traffic has the IP precedence option "internet" (equivalent to "6").

The second entry denies all FTP traffic from the 10.157.21.x network to the 10.157.22.x network, if the
traffic has the IP precedence value "6" (equivalent to "internet").

The third entry permits all packets that are not explicitly denied by the other entries. Without this entry,
the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL.

To configure an IP ACL that matches based on ToS, enter commands such as the following.

device(config)#access-list 104 deny tcp 10.157.21.0/24 10.157.22.0/24 tos

normal

device(config)#access-list 104 deny tcp 10.157.21.0/24 eq ftp 10.157.22.0/24

tos 13

device(config)#access-list 104 permit ip any any

The first entry in this IP ACL denies TCP traffic from the 10.157.21.x network to the 10.157.22.x
network, if the traffic has the IP ToS option "normal" (equivalent to "0").

The second entry denies all FTP traffic from the 10.157.21.x network to the 10.157.22.x network, if the
traffic has the IP ToS value "13" (equivalent to "max-throughput", "min-delay", and "min-monetary-
cost").

The third entry permits all packets that are not explicitly denied by the other entries. Without this entry,
the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL.

TCP flags - edge port security

The edge port security feature works in combination with IP ACL rules and can be combined with other
ACL functions (such as dscp-marking and traffic policies), giving you greater flexibility when designing
ACLs.

For details about the edge port security feature, refer to the Using TCP Flags in combination with other
ACL features section.

QoS options for IP ACLs

Quality of Service (QoS) options enable you to perform QoS for packets that match the ACLs. Using an
ACL to perform QoS is an alternative to directly setting the internal forwarding priority based on
incoming port, VLAN membership, and so on. (This method is described in "QoS priorities-to-traffic
assignment" section in the FastIron Ethernet Switch Traffic Management Guide .)

The following QoS ACL options are supported:

dscp-cos-mapping - This option is similar to the dscp-matching command (described below). This

option maps the DSCP value in incoming packets to a hardware table that provides mapping of each
of the 0 - 63 DSCP values, and distributes them among eight traffic classes (internal priorities) and
eight 802.1p priorities.

By default, the Brocade device does the 802.1p to CoS mapping. If you want to change the priority
mapping to DSCP to CoS mapping, you must enter the following ACL statement.

permit ip any any dscp-cos-mapping

TCP flags - edge port security

FastIron Ethernet Switch Security Configuration Guide

135

53-1003088-03

See also other documents in the category Brocade Computer Accessories: