Microsoft ES4649, ES4625 manual Binding a Port to an Access Control List, 106, 102, 105

Access Control Lists 3

CLI – This example shows how to create an Ingress MAC ACL and bind it to a port. You can then see that the order of the rules have been changed by the mask.

Console(config-mac-mask-acl)#mask pktformat ff-ff-ff-ff-ff-ff any vid 4-102

Console(config-if)#end Console#show access-list MAC access-list M4:

deny tagged-eth2 host 00-11-11-11-11-11 any vid 3 permit any any

MAC ingress mask ACL:

mask pktformat host any vid Console#

Binding a Port to an Access Control List

After configuring the Access Control Lists (ACL), you should bind them to the ports that need to filter traffic. You can only bind a port to one ACL for each basic type – IP ingress, IP egress, MAC ingress and MAC egress.

Command Usage

•You must configure a mask for an ACL rule before you can bind it to a port.

•This switch supports ACLs for both ingress and egress filtering. However, you can only bind one IP ACL and one MAC ACL to any port for ingress filtering, and one IP ACL and one MAC ACL to any port for egress filtering. In other words, only four ACLs can be bound to an interface – Ingress IP ACL, Egress IP ACL, Ingress MAC ACL and Egress MAC ACL.

•When an ACL is bound to an interface as an egress filter, all entries in the ACL must be deny rules. Otherwise, the bind operation will fail.

•The switch does not support the explicit “deny any any” rule for the egress IP ACL or the egress MAC ACLs. If these rules are included in an ACL, and you attempt to bind the ACL to an interface for egress checking, the bind operation will fail.

Command Attributes

•Port – Fixed port or SFP module. (Range: 1-24)

•IP – Specifies the IP ACL to bind to a port.

•MAC – Specifies the MAC ACL to bind to a port.

•IN – ACL for ingress packets.

•OUT – ACL for egress packets.

•ACL Name – Name of the ACL.

3-87