Quick Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-TI24x

411

412

413

414

415

416

417

418

419

420

386 PowerConnect B-Series TI24X Configuration Guide

53-1002269-02

Filtering on IP precedence and ToS values

NOTE

Before you can bind an IPv4 ACL to specific ports on a virtual interface, you must first enable support

for this feature. If this feature is not already enabled on your device, enable it as instructed in the

section “Enabling ACL filtering based on VLAN membership or VE port membership” on page 384.

To apply an ACL to a subset of ports within a virtual interface, enter commands such as the

following.

PowerConnect(config)# vlan 10 name IP-subnet-vlan

PowerConnect(config-vlan-10)# untag ethernet 1 to 12

PowerConnect(config-vlan-10)# router-interface ve 1

PowerConnect(config-vlan-10)# exit

PowerConnect(config)# access-list 1 deny host 209.157.22.26 log

PowerConnect(config)# access-list 1 deny 209.157.29.12 log

PowerConnect(config)# access-list 1 deny host IPHost1 log

PowerConnect(config)# access-list 1 permit any

PowerConnect(config)# interface ve 1

PowerConnect(config-vif-1)# ip access-group 1 in ethernet 1 ethernet 3 ethernet 4

to 5

The commands in this example configure port-based VLAN 10, add ports 1 – 12 to the VLAN, and

add virtual routing interface 1 to the VLAN. The commands following the VLAN configuration

commands configure ACL 1. Finally, the last two commands apply ACL 1 to a subset of the ports

associated with virtual interface 1.

Syntax: [no] ip access-group <ACL ID> in ethernet <portnum> [to<portnum>]

The <ACL ID> parameter is the access list name or number.

Filtering on IP precedence and ToS values

To configure an extended IP ACL that matches based on IP precedence, enter commands such as

the following.

The first entry in this ACL denies TCP traffic from the 209.157.21.x network to the 209.157.22.x

network, if the traffic has the IP precedence option “internet” (equivalent to “6”).

The second entry denies all FTP traffic from the 209.157.21.x network to the 209.157.22.x

network, if the traffic has the IP precedence value “6” (equivalent to “internet”).

The third entry permits all packets that are not explicitly denied by the other entries. Without this

entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the

ACL.

To configure an IP ACL that matches based on ToS, enter commands such as the following.

PowerConnect(config)#access-list 103 deny tcp 209.157.21.0/24 209.157.22.0/24

precedence internet

PowerConnect(config)#access-list 103 deny tcp 209.157.21.0/24 eq ftp

209.157.22.0/24 precedence 6

PowerConnect(config)#access-list 103 permit ip any any