CLI Guide

ManualsBrandsDell ManualsAccess PlatformsFN IO Module

241

242

243

244

245

246

247

248

249

250

You can activate ow-based monitoring for a monitoring session by entering the flow-based enable

command in the Monitor Session mode. When you enable this capability, trac with particular ows that are

traversing through the ingress and egress interfaces are examined and, appropriate ACLs can be applied in both

the ingress and egress direction. Flow-based monitoring conserves bandwidth by monitoring only specied trac

instead all trac on the interface. This feature is particularly useful when looking for malicious trac. It is available

for Layer 2 and Layer 3 ingress and egress trac. You may specify trac using standard or extended access-lists.

This mechanism copies all incoming or outgoing packets on one port and forwards (mirrors) them to another port.

The source port is the monitored port (MD) and the destination port is the monitoring port (MG).

Related Commands

deny — congures a lter to drop packets.

permit — congures a lter to forward packets.

seq — assigns a sequence number to a deny or permit lter in an IP access list while creating the lter.

seq

Assign a sequence number to a deny or permit lter in an extended IP access list while creating the lter.

Syntax

seq sequence-number {deny | permit} {ipv6-protocol-number | icmp | ip | tcp |

udp} {source mask | any | host ipv6-address} {destination mask | any | host

ipv6-address} [operator port [port]] [count [byte]] [dscp value] [order]

[fragments] [log [interval minutes] [threshold-in-msgs [count]] [monitor]

Parameters

sequence-number Enter a number from 0 to 4294967290. The range is from 1 to 65534.

deny Enter the keyword deny to congure a lter to drop packets meeting this condition.

permit Enter the keyword permit to congure a lter to forward packets meeting this criteria.

ipv6-protocol-

number

Enter a number from 0 to 255 to lter based on the protocol identied in the IP protocol

header.

icmp Enter the keyword icmp to congure an ICMP access list lter.

ip Enter the keyword ip to congure a generic IP access list. The keyword ip species that

the access list permits all IP protocols.

tcp Enter the keyword tcp to congure a TCP access list lter.

udp Enter the keyword udp to congure a UDP access list lter.

source Enter an IP address in dotted decimal format of the network from which the packet was

received.

mask (OPTIONAL) Enter a network mask in /prex format (/x) or A.B.C.D. The mask, when

specied in A.B.C.D format, may be either contiguous or non-contiguous.

any Enter the keyword any to specify that all routes are subject to the lter.

host ipv6-address Enter the keyword host and then enter the IPv6 address to specify a host IP address or

hostname.

operator (OPTIONAL) Enter one of the following logical operands:

• eq = equal to

• neq = not equal to

• gt = greater than

246 Access Control Lists (ACL)