Enabling ACL filtering based on VLAN membership or VE port membership

Applying an IPv4 ACL to specific VLAN members on a port (Layer 2 devices only)

NOTE

This section applies to IPv4 ACLs only. IPv6 ACLs do not support ACL filtering based on VLAN membership.

When you bind an IPv4 ACL to a port, the port filters all inbound traffic on the port. However, on a tagged port, there may be a need to treat packets for one VLAN differently from packets for another VLAN. In this case, you can configure a tagged port on a Layer 2 device to filter packets based on the packets’ VLAN membership.

To apply an IPv4 ACL to a specific VLAN on a port, enter commands such as the following.

Brocade(config)# enable ACL-per-port-per-vlan

...

Brocade(config)# vlan 12 name vlan12 Brocade(config-vlan-12)# untag ethernet 1/1/5 to 1/1/8 Brocade(config-vlan-12)# tag ethernet 1/1/23 to 1/1/24 Brocade(config-vlan-12)# exit

Brocade(config)# access-list 10 deny host 10.157.22.26 log Brocade(config)# access-list 10 deny 10.157.29.12 log Brocade(config)# access-list 10 deny host IPHost1 log Brocade(config)# access-list 10 permit Brocade(config)# interface ethernet 1/1/23 Brocade(config-if-e10000-1/1/23))# per-vlan 12 Brocade(config-if-e10000-1/1/23-vlan-12))# ip access-group 10 in

The commands in this example configure port-based VLAN 12, and add ports e1/1/ 5 –1/1/ 8 as untagged ports and ports e 1/1/23 – 1/1/24 as tagged ports to the VLAN. The commands following the VLAN configuration commands configure ACL 10. Finally, the last three commands apply ACL 10 on VLAN 12 for which port e 1/1/23 is a member.

Syntax: per-vlan VLAN ID

Syntax: [no] ip access-group ACL ID

The VLAN ID parameter specifies the VLAN name or number to which you will bind the ACL. The ACL ID parameter is the access list name or number.

Applying an IPv4 ACL to a subset of ports on a virtual interface (Layer 3 devices only)

NOTE

This section applies to IPv4 ACLs only. IPv6 ACLs do not support ACL filtering based on VE port membership.

You can apply an IPv4 ACL to a virtual routing interface. The virtual interface is used for routing between VLANs and contains all the ports within the VLAN. The IPv4 ACL applies to all the ports on the virtual routing interface. You also can specify a subset of ports within the VLAN containing a specified virtual interface when assigning an ACL to that virtual interface.

110

Brocade ICX 6650 Security Configuration Guide

 

53-1002601-01

Page 130
Image 130
Brocade Communications Systems 6650 manual Syntax per-vlan Vlan ID Syntax no ip access-group ACL ID