CLI Guide

ManualsBrandsDell ManualsAccess PlatformsFN IO Module

261

262

263

264

265

266

267

268

269

270

You can activate flow-based monitoring for a monitoring session by entering the

flow-based enable command in the Monitor Session mode. When you enable

this capability, traffic with particular flows that are traversing through the ingress

and egress interfaces are examined and, appropriate ACLs can be applied in both

the ingress and egress direction. Flow-based monitoring conserves bandwidth by

monitoring only specified traffic instead all traffic on the interface. This feature is

particularly useful when looking for malicious traffic. It is available for Layer 2 and

Layer 3 ingress and egress traffic. You may specify traffic using standard or

extended access-lists. This mechanism copies all incoming or outgoing packets on

one port and forwards (mirrors) them to another port. The source port is the

monitored port (MD) and the destination port is the monitoring port (MG).

Commands

deny — configures a MAC ACL filter to drop packets.

seq —configure a MAC ACL filter with a specified sequence number.

permit ether-type (for Extended MAC ACLs)

Configure a filter that allows traffic with specified types of Ethernet packets. This command is supported

only on 12-port GE line cards with SFP optics. For specifications, refer to your line card documentation.

Syntax

permit ether-type protocol-type-number {destination-mac-address

mac-address-mask | any} vlan vlan-id {source-mac-address mac-

address-mask | any} [count [byte]] [order] [log

[intervalminutes][threshold-in-msgs] [count]][monitor]

To remove this filter, you have two choices:

• Use the no seq sequence-number command if you know the filter’s

sequence number.

• Use the no permit ether-type protocol-type-number

{destination-mac-address mac-address-mask | any} vlan vlan-

id {source-mac-address mac-address-mask | any} command.

Parameters

protocol-type-

number

Enter a number from 600 to FFF as the specific Ethernet

type traffic to drop.

destination-mac-

address mac-

address-mask

Enter a MAC address and mask in the nn:nn:nn:nn:nn

format.

For the MAC address mask, specify which bits in the MAC

address must match.

The MAC ACL supports an inverse mask; therefore, a mask

of ff:ff:ff:ff:ff:ff allows entries that do not match and a mask

of 00:00:00:00:00:00 only allows entries that match

exactly.

266

Access Control Lists (ACL)