Foundry Configuration Guide for the FESX, FSX, and FWSX
12 - 22 © Foundry Networks, Inc. December 2005
FastIron SuperX Router(config-vlan-10)# router-interface ve 1
FastIron SuperX Router(config-vlan-10)# exit
FastIron SuperX Router(config)# access-list 1 deny host 209.157.22.26 log
FastIron SuperX Router(config)# access-list 1 deny 209.157.29.12 log
FastIron SuperX Router(config)# access-list 1 deny host IPHost1 log
FastIron SuperX Router(config)# access-list 1 permit any
FastIron SuperX Router(config)# interface ve 1
FastIron SuperX Router(config-vif-1)# ip access-group 1 in ethernet 1/1 ethernet 1/
3 ethernet 2/1 to 2/4
The commands in this example configure port-based VLAN 10, add ports 1/1 – 2/12 to the VLAN, and add virtual
routing interface 1 to the VLAN. The commands following the VLAN configuration commands configure ACL 1.
Finally, the last two commands apply ACL 1 to a subset of the ports associated with virtual interface 1.
Syntax: [no] ip access-group <ACL ID> in ethernet <slotnum>/<portnum> [to <slotnum>/<portnum>]
The <ACL ID> parameter is the access list name or number.
The <slotnum> parameter applies on chassis devices only. It does not apply on FESX devices.
Filtering on IP Precedence and ToS Values
To configure an extended IP ACL that matches based on IP precedence, enter commands such as the following:
The first entry in this ACL denies TCP traffic from the 209.157.21.x network to the 209.157.22.x network, if the
traffic has the IP precedence option “internet” (equivalent to “6”).
The second entry denies all FTP traffic from the 209.157.21.x network to the 209.157.22.x network, if the traffic
has the IP precedence value “6” (equivalent to “internet”).
The third entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL
would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL.
To configure an IP ACL that matches based on ToS, enter commands such as the following:
The first entry in this IP ACL denies TCP traffic from the 209.157.21.x network to the 209.157.22.x network, if the
traffic has the IP ToS option “normal” (equivalent to “0”).
The second entry denies all FTP traffic from the 209.157.21.x network to the 209.157.22.x network, if the traffic
has the IP precedence value “13” (equivalent to “max-throughput”, “min-delay”, and “min-monetary-cost”).
The third entry permits all packets that are not explicitly denied by the other entries. Without this entry, the ACL
would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL.
FESX424 Router(config)# access-list 103 deny tcp 209.157.21.0/24 209.157.22.0/24
precedence internet
FESX424 Router(config)# access-list 103 deny tcp 209.157.21.0/24 eq ftp
209.157.22.0/24 precedence 6
FESX424 Router(config)# access-list 103 permit ip any any
FESX424 Router(config)# access-list 104 deny tcp 209.157.21.0/24 209.157.22.0/24 tos
normal
FESX424 Router(config)# access-list 104 deny tcp 209.157.21.0/24 eq ftp 209.157.22.0/24
tos 13
FESX424 Router(config)# access-list 104 permit ip any any
To Next Page
Loading...
Need help?
General
