Foundry NetIron M2404C and M2404F Metro Access Switches
Configuring ACLs (Rev. 03)
Overview
© 2008 Foundry Networks, Inc
Page 26 of 50
DESTINATION-
WILDCARD
(Optional). Wildcard bits to be applied to the destination. There are two ways
to specify the destination wildcard:
1.
Use a 32-bit quantity in 4-part dotted-decimal format. Place
ones
in the
bit positions that need to be ignored.
2.
Use
/M
to describe the IP mask.
igmp-type
(Optional). IGMP packets can be filtered by IGMP message type.
A message type is a number from 0 to 255 (see
Table 12
for valid literal
values).
Table 12: Valid IGMP Type Literal Values
Valid Literal Value
Description
Value
membership-query
IGMP Membership Query
17
|membership-report
IGMPv1 Membership Report
18
membership-report-v2
IGMPv2 Membership Report
22
leave-group-v2
IGMPv2 Leave Group
23
membership-report-v3
IGMPv3 Membership Report
34
Example
The following ACL allows the host with IP address of 198.0.2.1 that is connected to the device
through port number 1/1/2 to send IGMP membership-reports packets for multicast group
224.1.1.1, all other packets going through that interface should be blocked and should not be
learned by the IGMP Snooping:
device-name
(config)#
access-list 300 permit igmp host 198.0.2.1 host
224.1.1.1 membership-report
device-name
(config)#
interface 1/1/2
device-name
(config-in 1/1/2)#
ip access-list 300
Creating an Extended MAC ACL
The MAC extended
access-list
command, in Global Configuration mode, creates an extended
MAC ACL. The
no
form of this command removes the specified ACL.
In order to distinguish between MAC extended ACLs and other types of Access Control Lists, the
MAC extended ACLs are created with
acl-number
values in the range 400 to 499.
Command Syntax
device-name
(config)#
access-list
<
acl-number
> {
deny
|
permit
}
SOURCE-MAC
SOURCE-WILDCARD DESTINATION-MAC DESTINATION-WILDCARD
[
tos
<
tos
>]
[
precedence
<
precedence
>] [
vpt
<
priority
>] [
provider-vlan
<
vlan-id
>
<
wildcard mask
>] [
vlan
<
vlan-id
> <
wildcard mask
>] [
untagged
]
[
unknown-unicast
|
multicast
|
broadcast
|
known-unicast <port-list>
]
[
provider-vpt
<
priority
>]
device-name
(config)#
no access-list
<
acl-number
>