Specifications
Command Line Interface
3-68
3
Masks for Access Control Lists
You can specify optional masks that control the order in which ACL rules are
checked. The switch includes two system default masks that pass/filter packets
matching the permit/deny the rules specified in an ingress ACL. You can also
configure up to seven user-defined masks for an ACL. A mask must be bound
exclusively to one of the basic ACL types (i.e., Ingress IP ACL, Egress IP ACL,
Ingress MAC ACL or Egress MAC ACL), but a mask can be bound to up to four
ACLs of the same type.
IP ACLs
Table 3-36 Access Control List Commands
Command Groups Function Page
IP ACLs Configures ACLs based on IP addresses, TCP/UDP port number,
protocol type, and TCP control code
3-68
MAC ACLs Configures ACLs based on hardware addresses, packet format, and
Ethernet type
3-82
ACL Information Displays ACLs and associated rules; shows ACLs assigned to each port 3-91
Table 3-37 IP ACL Commands
Command Function Mode Page
access-list ip Creates an IP ACL and enters configuration mode GC 3-69
permit, deny Filters packets matching a specified source IP address STD-ACL 3-70
permit, deny Filters packets meeting the specified criteria, including
source and destination IP address, TCP/UDP port number,
protocol type, and TCP control code
EXT-ACL 3-71
show ip access-list Displays the rules for configured IP ACLs PE 3-73
access-list ip
mask-precedence
Changes to the mode for configuring access control masks GC 3-73
mask Sets a precedence mask for the ACL rules IP-Mask 3-74
show access-list ip
mask-precedence
Shows the ingress or egress rule masks for IP ACLs PE 3-77
ip access-group Adds a port to an IP ACL IC 3-78
show ip access-group Shows port assignments for IP ACLs PE 3-78
map access-list ip Sets the CoS value and corresponding output queue for
packets matching an ACL rule
IC 3-79
show map access-list ip Shows CoS value mapped to an access list for an interface PE 3-80
match access-list ip Changes the 802.1p priority, IP Precedence, or DSCP
Priority of a frame matching the defined rule (i.e., also called
packet marking)
IC 3-80
show marking Displays the current configuration for packet marking PE 3-81