Configure An Extended Ip Acl - Dell Force10 S4810P Configuration Manual

Configure an extended IP ACL

Extended IP ACLs filter on source and destination IP addresses, IP host addresses, TCP addresses, TCP
host addresses, UDP addresses, and UDP host addresses.
Since traffic passes through the filter in the order of the filter's sequence, you can configure the extended
IP ACL by first entering the IP ACCESS LIST mode and then assigning a sequence number to the filter.
Note: On E-Series ExaScale systems, TCP ACL flags are not supported in an extended ACL with IPv6
microcode. An error message is shown if IPv6 microcode is configured and an ACL is entered with a TCP
filter included.
FTOS
(conf-ipv6-acl)#seq 8 permit tcp any any urg
May 5 08:32:34: %E90MJ:0 %ACL_AGENT-2-ACL_AGENT_ENTRY_ERROR: Unable to write seq
8 of list test as individual TCP flags are not supported on linecard 0
Configure filters with sequence number
To create a filter for packets with a specified sequence number, use these commands in the following
sequence, starting in the CONFIGURATION mode:
Step Command Syntax
1 ip access-list extended
access-list-name
2
seq sequence-number
{
deny
{
ip-protocol-number
icmp | ip | tcp | udp
{
source mask
ip-address
|
mask
ip-address
[
port port
| ] [
log
[
fragments
When you use the
many packets match the log entry and at what rate, the CP may become busy as it has to log these packets'
details.
Command Mode
CONFIGURATION
CONFIG-EXT-NACL
| }
permit
|
}
| |
any host
} {
destination
|
any host
} [
operator
]] [ [ ]
count byte
] [ ]
order monitor
]
keyword, CP processor logs details about the packets that match. Depending on how
log
Purpose
Enter the IP ACCESS LIST mode by creating
an extended IP ACL.
Configure a drop or forward filter.
• log and monitor options are supported on
E-Series only.
Access Control Lists (ACLs) | 113