Rule-Based IP Access Control Lists (ACLs)
December 2005
© Foundry Networks, Inc.
12 - 21
NOTE:
You must save the configuration and reload the software to place the change into effect.
Syntax:
[no] enable acl-per-port-per-vlan
Enter the
no
form of the command to disable this feature.
Applying an ACL to Specific VLAN Members on a Port (Layer 2 Devices Only)
When you bind an ACL to a port, the port filters all inbound traffic on the port. However, on a tagged port, there
may be a need to treat packets for one VLAN differently from packets for another VLAN. Starting with release
02.3.03, you can configure a tagged port on a Layer 2 device to filter packets based on the packets’ VLAN
membership.
NOTE:
Before you can bind an ACL to specific VLAN members on a port, you must first enable support for this
feature. If this feature is not already enabled on your device, enable it as instructed in the section “Enabling ACL
Filtering Based on VLAN Membership or VE Port Membership” on page 12-20.
To apply an ACL to a specific VLAN on a port, enter commands such as the following on a tagged port:
FESX424 Switch(config)# vlan 12 name vlan12
FESX424 Switch(config-vlan-12)# untag ethernet 5 to 8
FESX424 Switch(config-vlan-12)# tag ethernet 23 to 24
FESX424 Switch(config-vlan-12)#exit
FESX424 Switch(config)# access-list 10 deny host 209.157.22.26 log
FESX424 Switch(config)# access-list 10 deny 209.157.29.12 log
FESX424 Switch(config)# access-list 10 deny host IPHost1 log
FESX424 Switch(config)# access-list 10 permit
FESX424 Switch(config)# int e 23
FESX424 Switch(config-if-e1000-23))# per-vlan 12
FESX424 Switch(config-if-e1000-23-vlan-12))#ip access-group 10 in
The commands in this example configure port-based VLAN 12, and add ports e 5 – 8 as untagged ports and ports
e 23 – 24 as tagged ports to the VLAN. The commands following the VLAN configuration commands configure
ACL 10. Finally, the last three commands apply ACL 10 on VLAN 12 for which port e 23 is a member.
Syntax:
per-vlan <VLAN ID>
Syntax:
[no] ip access-group <ACL ID>
The <VLAN ID> parameter specifies the VLAN name or number to which you will bind the ACL.
The <ACL ID> parameter is the access list name or number.
Applying an ACL to a Subset of Ports on a Virtual Interface (Layer 3 Devices
Only)
You can apply an ACL to a virtual routing interface. The virtual interface is used for routing between VLANs and
contains all the ports within the VLAN. The ACL applies to all the ports on the virtual routing interface. Starting
with release 02.3.03, you also can specify a subset of ports within the VLAN containing a specified virtual interface
when assigning an ACL to that virtual interface.
Use this feature when you do not want the ACLs to apply to all the ports in the virtual interface’s VLAN or when
you want to streamline ACL performance for the VLAN.
NOTE:
Before you can bind an ACL to specific ports on a virtual interface, you must first enable support for this
feature. If this feature is not already enabled on your device, enable it as instructed in the section “Enabling ACL
Filtering Based on VLAN Membership or VE Port Membership” on page 12-20.
To apply an ACL to a subset of ports within a virtual interface, enter commands such as the following:
FastIron SuperX Router(config)# vlan 10 name IP-subnet-vlan
FastIron SuperX Router(config-vlan-10)# untag ethernet 1/1 to 2/12
Содержание FastIron Edge Switch X424
Страница 36: ...Foundry Configuration Guide for the FESX FSX and FWSX 2 12 Foundry Networks Inc December 2005...
Страница 56: ...Foundry Configuration Guide for the FESX FSX and FWSX 3 20 Foundry Networks Inc December 2005...
Страница 70: ...Foundry Configuration Guide for the FESX FSX and FWSX 4 14 Foundry Networks Inc December 2005...
Страница 198: ...Foundry Configuration Guide for the FESX FSX and FWSX 8 38 Foundry Networks Inc December 2005...
Страница 316: ...Foundry Configuration Guide for the FESX FSX and FWSX 12 26 Foundry Networks Inc December 2005...
Страница 334: ...Foundry Configuration Guide for the FESX FSX and FWSX 13 18 Foundry Networks Inc December 22 2005...
Страница 350: ...Foundry Configuration Guide for the FESX FSX and FWSX 15 12 Foundry Networks Inc December 2005...
Страница 458: ...Foundry Configuration Guide for the FESX FSX and FWSX 18 18 Foundry Networks Inc December 2005...
Страница 712: ...Foundry Configuration Guide for the FESX FSX and FWSX 22 32 Foundry Networks Inc December 2005...
Страница 760: ...Foundry Configuration Guide for the FESX FSX and FWSX A 34 Foundry Networks Inc December 2005...
Страница 796: ...Foundry Configuration Guide for the FESX FSX and FWSX C 18 Foundry Networks Inc December 2005...
Страница 820: ...Foundry Configuration Guide for the FESX FSX and FWSX E 10 Foundry Networks Inc December 2005...