Manualshelf

Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron
1791179217931794179517961797179817991800
FastIron Configuration Guide 1739
53-1002494-02
Filtering on IP precedence and ToS values
Filtering on IP precedence and ToS values
To configure an extended IP ACL that matches based on IP precedence, enter commands such as
the following.
The first entry in this ACL denies TCP traffic from the 209.157.21.x network to the 209.157.22.x
network, if the traffic has the IP precedence option “internet” (equivalent to “6”).
The second entry denies all FTP traffic from the 209.157.21.x network to the 209.157.22.x
network, if the traffic has the IP precedence value “6” (equivalent to “internet”).
The third entry permits all packets that are not explicitly denied by the other entries. Without this
entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the
ACL.
To configure an IP ACL that matches based on ToS, enter commands such as the following.
The first entry in this IP ACL denies TCP traffic from the 209.157.21.x network to the 209.157.22.x
network, if the traffic has the IP ToS option “normal” (equivalent to “0”).
The second entry denies all FTP traffic from the 209.157.21.x network to the 209.157.22.x
network, if the traffic has the IP ToS value “13” (equivalent to “max-throughput”, “min-delay”, and
“min-monetary-cost”).
The third entry permits all packets that are not explicitly denied by the other entries. Without this
entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the
ACL.
TCP flags - edge port security
The edge port security feature works in combination with IP ACL rules and can be combined with
other ACL functions (such as dscp-marking and traffic policies), giving you greater flexibility when
designing ACLs.
For details about the edge port security feature, refer to “Using TCP Flags in combination with other
ACL features on page 178.
Brocade(config)#access-list 103 deny tcp 209.157.21.0/24 209.157.22.0/24
precedence internet
Brocade(config)#access-list 103 deny tcp 209.157.21.0/24 eq ftp 209.157.22.0/24
precedence 6
Brocade(config)#access-list 103 permit ip any any
Brocade(config)#access-list 104 deny tcp 209.157.21.0/24 209.157.22.0/24 tos
normal
Brocade(config)#access-list 104 deny tcp 209.157.21.0/24 eq ftp 209.157.22.0/24
tos 13
Brocade(config)#access-list 104 permit ip any any