Filtering on ip precedence and tos values, Applying an ipv4 acl to a subset of – Brocade TurboIron 24X Series Configuration Guide User Manual
Page 956

922
Brocade TurboIron 24X Series Configuration Guide
53-1003053-01
Filtering on IP precedence and ToS values
The
Applying an IPv4 ACL to a subset of ports on a virtual
interface (Layer 3 devices only)
You can apply an IPv4 ACL to a virtual routing interface. The virtual interface is used for routing
between VLANs and contains all the ports within the VLAN. The IPv4 ACL applies to all the ports on
the virtual routing interface. You also can specify a subset of ports within the VLAN containing a
specified virtual interface when assigning an ACL to that virtual interface.
Use this feature when you do not want the IPv4 ACLs to apply to all the ports in the virtual interface
VLAN or when you want to streamline IPv4 ACL performance for the VLAN.
NOTE
Before you can bind an IPv4 ACL to specific ports on a virtual interface, you must first enable support
for this feature. If this feature is not already enabled on your device, enable it as instructed in the
section
“Enabling ACL filtering based on VLAN membership or VE port membership”
To apply an ACL to a subset of ports within a virtual interface, enter commands such as the
following.
TurboIron(config)#vlan 10 name IP-subnet-vlan
TurboIron(config-vlan-10)#untag ethernet 1 to 12
TurboIron(config-vlan-10)#router-interface ve 1
TurboIron(config-vlan-10)#exit
TurboIron(config)#access-list 1 deny host 10.157.22.26 log
TurboIron(config)#access-list 1 deny 10.157.29.12 log
TurboIron(config)#access-list 1 deny host IPHost1 log
TurboIron(config)#access-list 1 permit any
TurboIron(config)#interface ve 1
TurboIron(config-vif-1)#ip access-group 1 in ethernet 1 ethernet 3 ethernet 4 to 5
The commands in this example configure port-based VLAN 10, add ports 1 – 12 to the VLAN, and
add virtual routing interface 1 to the VLAN. The commands following the VLAN configuration
commands configure ACL 1. Finally, the last two commands apply ACL 1 to a subset of the ports
associated with virtual interface 1.
Syntax: [no] ip access-group
The
Filtering on IP precedence and ToS values
To configure an extended IP ACL that matches based on IP precedence, enter commands such as
the following.
The first entry in this ACL denies TCP traffic from the 10.157.21.x network to the 10.157.22.x
network, if the traffic has the IP precedence option “internet” (equivalent to “6”).
TurboIron(config)#access-list 103 deny tcp 10.157.21.0/24 10.157.22.0/24
precedence internet
TurboIron(config)#access-list 103 deny tcp 10.157.21.0/24 eq ftp 10.157.22.0/24
precedence 6
TurboIron(config)#access-list 103 permit ip any any