Foundry Configuration Guide for the FESX, FSX, and FWSX
12 - 18 © Foundry Networks, Inc. December 2005
The dscp-marking option enables you to configure an ACL that marks matching packets with a specified DSCP
value Enter a value from 0 – 63. See “Using an IP ACL to Mark DSCP Values (DSCP Marking)” on page 12-23.
The dscp-matching option matches on the packet’s DSCP value. Enter a value from 0 – 63. This option does not
change the packet’s forwarding priority through the device or mark the packet. See “DSCP Matching” on page 12-
24.
The log parameter enables SNMP traps and Syslog messages for packets denied by the ACL.
You can enable logging on ACLs and filters that support logging even when the ACLs and filters are already in use.
To do so, re-enter the ACL or filter command and add the log parameter to the end of the ACL or filter. The
software replaces the ACL or filter command with the new one. The new ACL or filter, with logging enabled, takes
effect immediately.
The traffic-policy option enables the device to rate limit inbound traffic and to count the packets and bytes per
packet to which ACL permit or deny clauses are applied. For configuration procedures and examples, see the
chapter “Traffic Policies” on page 15-1.
Configuration Example for Extended Named ACLs
To configure an extended named ACL, enter commands such as the following.
The options at the ACL configuration level and the syntax for the ip access-group command are the same for
numbered and named ACLs and are described in “Configuring Extended Numbered ACLs” on page 12-8 and
“Configuring Extended Named ACLs” on page 12-13.
Adding a Comment to an ACL Entry
You can optionally add comment text to describe entries in an ACL. The comment text appears in the output of
show commands that display ACL information.
For example, the following commands add comments to entries to a numbered ACL, ACL 100:
FastIron SuperX Router(config)# ip access-list extended “block Telnet”
FastIron SuperX Router(config-ext-nacl)# deny tcp host 209.157.22.26 any eq telnet
log
FastIron SuperX Router(config-ext-nacl)# permit ip any any
FastIron SuperX Router(config-ext-nacl)# exit
FastIron SuperX Router(config)# int eth 1/1
FastIron SuperX Router(config-if-1/1)# ip access-group “block Telnet” in
FESX424 Router(config)# access-list 100 remark The following line permits TCP
packets
FESX424 Router(config)# access-list 100 permit tcp 192.168.4.40/24 2.2.2.2/24
FESX424 Router(config)# access-list 100 remark The following permits UDP packets
FESX424 Router(config)# access-list 100 permit udp 192.168.2.52/24 2.2.2.2/24
FESX424 Router(config)# access-list 100 deny ip any any
To Next Page
Loading...
Need help?
General
