Foundry Switch and Router Installation and Configuration Guide
13 - 22 December 2000
NOTE: Do not place other commands in the file. The Foundry device reads only the ACL information in the file
and ignores other commands, including ip access-group commands. To assign ACLs to interfaces, use the CLI.
Applying an ACL to a Subset of Ports on a Virtual Interface
You can apply an ACL to a virtual routing interface. The virtual interface is used for routing between VLANs and
contains all the ports within the VLAN. If the ACL is for the inbound traffic direction, you also can specify a subset
of ports within the VLAN containing a specified virtual interface when assigning an ACL to that virtual interface.
Use this feature when you do not want the ACLs to apply to all the ports in the virtual interface’s VLAN or when
you want to streamline ACL performance for the VLAN.
NOTE: This feature applies only to a virtual interface’s inbound direction. You cannot use this feature to specify
a subset of ports for a virtual interface’s outbound direction.
To apply an ACL to a subset of ports within a virtual interface, enter commands such as the following:
BigIron(config)# vlan 10 name IP-subnet-vlan
BigIron(config-vlan-10)# untag ethernet 1/1 to 2/12
BigIron(config-vlan-10)# router-interface ve 1
BigIron(config-vlan-10)# exit
BigIron(config)# access-list 1 deny host 209.157.22.26 log
BigIron(config)# access-list 1 deny 209.157.29.12 log
BigIron(config)# access-list 1 deny host IPHost1 log
BigIron(config)# access-list 1 permit any
BigIron(config)# interface ve 1
BigIron(config-vif-1)# ip access-group 1 in ethernet 1/1 ethernet 1/3 ethernet 2/1
to 2/4
The commands in this example configure port-based VLAN 10, add ports 1/1 – 2/12 to the VLAN, and add virtual
routing interface 1 to the VLAN. The commands following the VLAN configuration commands configure ACL 1.
Finally, the last two commands apply ACL 1 to a subset of the ports associated with virtual interface 1.
Syntax: [no] ip access-group <num> in ethernet <portnum> [<portnum>...] to <portnum>
Enabling Strict TCP or UDP Mode
By default, when you use ACLs to filter TCP or UDP traffic, the Foundry device does not compare all TCP or UDP
packets against the ACLs.
• TCP – By default, the device compares TCP control packets against the ACLs, but not data packets. Control
packets include packet types such as SYN (Synchronization) packets, FIN (Finish) packets, and RST (Reset)
packets
• UDP – By default, the device compares the source and destination information against entries in the session
table. The session table contains forwarding entries based on Layer 3 and Layer 4 information.
• If the session table contains a matching entry, the device forwards the packet, assuming that the first
packet the device received that contains the same address information was permitted by the ACLs.
• If the session table does not contain a matching entry, the device sends the packet to the CPU, where
the software compares the packet against the ACLs. If the ACLs permit the packet (explicitly by a permit
ACL entry or implicitly by the absence of a deny ACL entry), the CPU creates a session table entry for
the packet’s forwarding information and forwards the packet.
For tighter access or forwarding control, you can enable the device to perform strict TCP or UDP ACL processing.
Strict ACL processing causes every TCP or UDP packet to go to the CPU for examination. The following sections
describe the strict modes in more detail.
To Next Page
Loading...
Need help?
General
