Brocade Communications Systems 6650 , -,

94 Brocade ICX 6650 Security Configuration Guide

53-1002601-01

Extended numbered ACL configuration

•max-throughput or 4 – The ACL matches packets that have the maximum throughput ToS. The

decimal value for this option is 4.

•min-delay or 8 – The ACL matches packets that have the minimum delay ToS. The decimal

value for this option is 8.

•min-monetary-cost or 1 – The ACL matches packets that have the minimum monetary cost

ToS. The decimal value for this option is 1.

-normal or 0 – The ACL matches packets that have the normal ToS. The decimal value for

this option is 0.

- num – A number from 0 – 15 that is the sum of the numeric values of the options you

want. The ToS field is a four-bit field following the Precedence field in the IP header. You

can specify one or more of the following. To select more than one option, enter the decimal

value that is equivalent to the sum of the numeric values of all the ToS options you want to

select. For example, to select the max-reliability and min-delay options, enter number 10.

To select all options, select 15.

NOTE

The following QoS options are only available if a specific ICMP type is specified and cannot be used

with the any-icmp-type option set for the icmp-type parameter. See “QoS options for IP ACLs” on

page114 for more information on using ACLs to perform QoS.

The 802.1p-priority-matching option inspects the 802.1p bit in the ACL that can be used with

adaptive rate limiting. Enter a value from 0 – 7.

The dscp-cos-mapping option maps the DSCP value in incoming packets to a hardware table that

provides mapping of each of the 0 – 63 DSCP values, and distributes them among eight traffic

classes (internal priorities) and eight 802.1p priorities.

NOTE

The dscp-cos-mapping option overrides port-based priority settings.

NOTE

The dscp-cos-mapping option is not supported for Brocade ICX 6650 devices.

The dscp-marking option enables you to configure an ACL that marks matching packets with a

specified DSCP value. Enter a value from 0 – 63. Refer to “Using an IP ACL to mark DSCP values

(DSCP marking)” on page 115.

The dscp-matching option matches on the packet’s DSCP value. Enter a value from 0 – 63. This

option does not change the packet’s forwarding priority through the device or mark the packet.

Refer to “DSCP matching” on page 117.

The log parameter enables SNMP traps and Syslog messages for inbound packets denied by the

ACL:

•You can enable logging on inbound ACLs and filters that support logging even when the ACLs

and filters are already in use. To do so, re-enter the ACL or filter command and add the log

parameter to the end of the ACL or filter. The software replaces the ACL or filter command with

the new one. The new ACL or filter, with logging enabled, takes effect immediately.

The traffic-policy option enables the device to rate limit inbound traffic and to count the packets

and bytes per packet to which ACL permit or deny clauses are applied. For configuration

procedures and examples, refer to the chapter “ACL-based Rate Limiting” on page141.