Tcp Flags - Edge Port Security; Qos Options For Ip Acls - Brocade Communications Systems ICX 6650 Security Configuration Manual

QoS options for IP ACLs

The first entry in this ACL denies TCP traffic from the 10.157.21.x network to the 10.157.22.x
network, if the traffic has the IP precedence option "internet" (equivalent to "6").
The second entry denies all FTP traffic from the 10.157.21.x network to the 10.157.22.x network, if
the traffic has the IP precedence value "6" (equivalent to "internet").
The third entry permits all packets that are not explicitly denied by the other entries. Without this
entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the
ACL.
To configure an IP ACL that matches based on ToS, enter commands such as the following.
Brocade(config)# access-list 104 deny tcp 10.157.21.0/24 10.157.22.0/24 tos
normal
Brocade(config)# access-list 104 deny tcp 10.157.21.0/24 eq ftp 10.157.22.0/24
tos 13
Brocade(config)# access-list 104 permit ip any any
The first entry in this IP ACL denies TCP traffic from the 10.157.21.x network to the 10.157.22.x
network, if the traffic has the IP ToS option "normal" (equivalent to "0").
The second entry denies all FTP traffic from the 10.157.21.x network to the 10.157.22.x network, if
the traffic has the IP ToS value "13" (equivalent to "max-throughput", "min-delay", and
"min-monetary-cost").
The third entry permits all packets that are not explicitly denied by the other entries. Without this
entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the
ACL.

TCP flags - edge port security

The edge port security feature works in combination with IP ACL rules and can be combined with
other ACL functions (such as dscp-marking and traffic policies), giving you greater flexibility when
designing ACLs.
For details about the edge port security feature, refer to
ACL features"
QoS options for IP ACLs
Quality of Service (QoS) options enable you to perform QoS for packets that match the ACLs. Using
an ACL to perform QoS is an alternative to directly setting the internal forwarding priority based on
incoming port, VLAN membership, and so on. (This method is described in Brocade ICX 6650
Platform and Layer 2 Switching Configuration Guide.)
The following QoS ACL options are supported:
•
•
•
114
on page 61.
dscp-cos-mapping – By default, the Brocade device does the 802.1p to CoS mapping.
dscp-marking – Marks the DSCP value in the outgoing packet with the value you specify.
internal-priority-marking and 802.1p-priority-marking – Supported with the DSCP marking
option, these commands assign traffic that matches the ACL to a hardware forwarding queue
(internal-priority-marking), and re-mark the packets that match the ACL with the 802.1p priority
(802.1p-priority-marking).
"Using TCP Flags in combination with other
Brocade ICX 6650 Security Configuration Guide
53-1002601-01