Administrator Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch S3048-ON

191

192

193

194

195

196

197

198

199

200

The following commands congure extended IP ACLs, which in addition to the IP address, also examine the packet’s protocol type.

The platform supports both Ingress and Egress IP ACLs.

NOTE: Also refer to the Commands Common to all ACL Types and Common IP ACL Commands sections.

deny

Congure a lter that drops IP packets meeting the lter criteria.

Syntax

deny {ip | ip-protocol-number} {source mask | any | host ip-address}

{destination mask | any | host ip-address} [ttl operator][count [byte] | log]

[dscp value] [order] [monitor] [fragments] [no-drop]

To remove this lter, you have two choices:

• Use the no seq sequence-number command if you know the lter’s sequence number.

•

Use the no deny {ip | ip-protocol-number} {source mask | any | host ip-address}

{destination mask | any | host ip-address} command.

Parameters

ip Enter the keyword ip to congure a generic IP access list. The keyword ip species that

the access list denies all IP protocols.

ip-protocol-number Enter a number from 0 to 255 to deny based on the protocol identied in the IP protocol

header.

source Enter the IP address of the network or host from which the packets were sent.

mask Enter a network mask in /prex format (/x) or A.B.C.D. The mask, when specied in

A.B.C.D format, may be either contiguous or noncontiguous.

any Enter the keyword any to specify that all routes are subject to the lter.

host ip-address Enter the keyword host then the IP address to specify a host IP address.

destination Enter the IP address of the network or host to which the packets are sent.

ttl Enter the keyword ttl to deny a packet based on the time to live value. The range is

from 1 to 255.

operator Enter one of the following logical operand:

• eq(equal to) — matches packets that contain a ttl value that is equal to the specied

ttl value.

• neq(not equal to) — matches packets that contain a ttl value that is not equal to the

specied ttl value.

•

gt(greater than) — matches packets that contain a ttl value that is greater than the

specied ttl value.

• lt (less than) — matches packets that contain a ttl value that is less than the

specied ttl value.

• range(inclusive range of values) — matches packets that contain a ttl value that

falls between the specied range of ttl values.

count (OPTIONAL) Enter the keyword count to count packets that the lter processes.

byte (OPTIONAL) Enter the keyword byte to count bytes that the lter processes.

log (OPTIONAL, E-Series only) Enter the keyword log to enter ACL matches in the log.

200 Access Control Lists (ACL)