beautypg.com

Brocade TurboIron 24X Series Configuration Guide User Manual

Page 955

background image

Brocade TurboIron 24X Series Configuration Guide

921

53-1003053-01

Enabling ACL filtering based on VLAN membership or VE port membership

By default, this feature support is disabled. To enable it, enter the following commands at the
Global CONFIG level of the CLI.

TurboIron (config)#enable ACL-per-port-per-vlan

TurboIron (config)#write memory

TurboIron (config)#exit

TurboIron#reload

After entering the above commands, you can do the following:

Apply an IPv4 ACL to specific VLAN members on a port – refer to

“Applying an IPv4 ACL to

specific VLAN members on a port (Layer 2 devices only)”

on page 921

Apply an IPv4 ACL to a subset of ports on a VE – refer to

“Applying an IPv4 ACL to a subset of

ports on a virtual interface (Layer 3 devices only)”

on page 922

Syntax: [no] enable ACL-per-port-per-vlan

Enter the no form of the command to disable this feature.

Applying an IPv4 ACL to specific VLAN members on
a port (Layer 2 devices only)

When you bind an IPv4 ACL to a port, the port filters all inbound traffic on the port. However, on a
tagged port, there may be a need to treat packets for one VLAN differently from packets for another
VLAN. You can configure a tagged port on a Layer 2 device to filter packets based on the packets’
VLAN membership.

NOTE

Before you can bind an ACL to specific VLAN members on a port, you must first enable support for
this feature. If this feature is not already enabled on your device, enable it as instructed in the
section

“Enabling ACL filtering based on VLAN membership or VE port membership”

on page 920.

To apply an IPv4 ACL to a specific VLAN on a port, enter commands such as the following on a
tagged port.

TurboIron(config)#vlan 12 name vlan12

TurboIron(config-vlan-12)#untag ethernet 5 to 8

TurboIron(config-vlan-12)#tag ethernet 23 to 24

TurboIron(config-vlan-12)#exit

TurboIron(config)#access-list 10 deny host 10.157.22.26 log

TurboIron(config)#access-list 10 deny 10.157.29.12 log

TurboIron(config)#access-list 10 deny host IPHost1 log

TurboIron(config)#access-list 10 permit

TurboIron(config)#int e 23

TurboIron(config-if-e10000-23))#per-vlan 12

TurboIron(config-if-e10000-23-vlan-12))#ip access-group 10 in

The commands in this example configure port-based VLAN 12, and add ports e 5 – 8 as untagged
ports and ports e 23 – 24 as tagged ports to the VLAN. The commands following the VLAN
configuration commands configure ACL 10. Finally, the last three commands apply ACL 10 on
VLAN 12 for which port e 23 is a member.

Syntax: per-vlan <VLAN ID>

Syntax: [no] ip access-group

The <VLAN ID> parameter specifies the VLAN name or number to which you will bind the ACL.

See also other documents in the category Brocade Computer Accessories: