Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S6000 ON

281

282

283

284

285

286

287

288

289

290

traversing through the ingress and egress interfaces are examined and, appropriate ACLs can be applied in both

the ingress and egress direction. Flow-based monitoring conserves bandwidth by monitoring only specified traffic

instead all traffic on the interface. This feature is particularly useful when looking for malicious traffic. It is available

for Layer 2 and Layer 3 ingress and egress traffic. You may specify traffic using standard or extended access-lists.

This mechanism copies all incoming or outgoing packets on one port and forwards (mirrors) them to another port.

The source port is the monitored port (MD) and the destination port is the monitoring port (MG).

permit tcp (for IPv6 ACLs)

Configure a filter to pass TCP packets that match the filter criteria.

Syntax

permit tcp {source address mask | any | host ipv6-address} [operator port

[port]] {destination address | any | host ipv6-address} [bit] [operator port

[port]] [ttl operator] [count [byte]] [log [interval minutes] [threshold-in-

msgs [count]] [monitor]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s sequence number.

• Use the no permit tcp {source address mask | any | host ipv6-address}

{destination address | any | host ipv6-address} command.

Parameters

source address

mask

Enter a network mask in /prefix format (/x).

any Enter the keyword any to specify that all routes are subject to the filter.

host

ipv6-address

Enter the keyword host then the IP address to specify a host IP address.

destination

address

Enter the IPv6 address of the network or host to which the packets are sent.

bit

Enter a flag or combination of bits:

• ack: acknowledgement field

• fin: finish (no more data from the user)

• psh: push function

• rst: reset the connection

• syn: synchronize sequence numbers

• urg: urgent field

• established: datagram of established TCP session

Use the established flag to match only ACK and RST flags of established TCP

session.

You cannot use established along with the other control flags

While using the established flag in an ACL rule, all the other TCP control flags are

masked, to avoid redundant TCP control flags configuration in a single rule. When you use

any TCP control flag in an ACL rule,

established is masked and other control flags are

available.

operator

(OPTIONAL) Enter one of the following logical operand:

• eq = equal to

• neq = not equal to

• gt = greater than

• lt = less than

• range = inclusive range of ports (you must specify two ports for the port parameter)

port port

Enter the application layer port number. Enter two port numbers if you are using the

range logical operand. The range is from 0 to 65535.

The following list includes some common TCP port numbers:

286 Access Control Lists (ACL)