Configuring the ECN330-switch
1771553-KDU 137 365 Uen D 2006-06-16
CLI – The following command creates a VLAN access-map called vlanMAP1,
sets the match criteria for an IP ACL called ipACL1, sets the action for forward
matching packets, and then binds the VLAN ACL to VLANs 2 and 3.
6.6.5 Configuring VLAN ACL Masks
Masks must be specified that control the order in which ACL rules are checked.
For example, the order in which the rules shown in Figure 57 on page 163 are
checked depends on the mask settings. ACL rules matching the first entry in the
mask are checked first. Rules matching subsequent entries in the mask are then
checked in the specified order.
The ECN330-switch includes two system default masks that pass/filter packets
matching the permit/deny rules specified in ingress IP ACLs or ingress MAC
ACLs.
Command Usage
• Up to seven entries can be assigned to an ACL mask.
• Packets entering a VLAN member port are checked against all the rules
in the ACL until a match is found. The order in which these packets are
checked is determined by the mask, and not the order in which the ACL
rules are entered.
• A mask must be configured for a VLAN access map before it can be
bound to a VLAN or the queue or frame priorities associated with the
rule set. Otherwise, any attempt to bind the access map to a VLAN will
fail.
• The VLAN ID field is not specified in IP or MAC masks used for VLAN
ACLs. The ECN330-switch automatically appends the VID filed for
these masks when the VLAN ACL is bound to an interface.
• When an ACL port binding is removed, the ECN330-switch removes the
mask settings from ASIC but keeps this information in RAM. When
creating a VLAN mask, the ECN330-switch first checks whether there
Console(config)#vlan access-map vlanMAP1
Console(config-access-map)#match ip address ipACL1
Console(config-access-map)#action forward
Console(config-access-map)#exit
Console(config)#vlan filter vlanMAP1 vlan-lists 2-3
Console(config)#
To Next Page
Loading...
