User Manual

ManualsBrandsPLANET Technology ManualsLAN SwitchesLayer 3 24-Port 10G SFP+ + 4-Port 100G QSFP28 Managed Switch

401

402

403

404

405

406

407

408

409

410

404

Users Manual of XGS-6350-24X4C

43.4.3.4 Applying the Access List to the Interface

After the access list is created, you can apply it to one or multiple interfaces including the in interfaces and

out interfaces.

Run the following command in interface configuration mode.

Run… To…

ip access-groupname {in | out}

Apply the access list to the interface.

The access list can be used on the in interfaces and the out interfaces. For the standard access list of the in

interface, the soured address of the packet is to be checked according to the access list after the packet is

received. For the extensible access list, the routing switch also checks the destination. If the access list

permits the address, the software goes on processing the packet. If the access list does not permit the

address, the software drops the packet and returns an ICMP unreachable message.

For the standard access list of the out interfaces, after a packet is received or routed to the control interface,

the software checks the source address of the packet according to the access list. For the extensible access

list, the routing switch also checks the access list of the receiving side. If the access list permits the address,

the software will send the packet. If the access list does not permit the address, the software drops the packet

and returns an ICMP unreachable message.

If the designated access list does not exist, all packets allows to pass.

43.4.3.5 Extensible Access List Example

1. Port-based IP access list supporting TCP/UDP port filtration

{deny | permit} {tcp | udp}

sourcesource-mask [ { [src_portrange begin-port end-port] | [ {gt | lt } port ] }]

destination destination-mask [ { [dst_portrange begin-port end-port] | [ {gt | lt } port ] }]

[precedenceprecedence] [tostos]

If you configure the access list by defining the port range, pay attention to the following:

 If you use the method of designating the port range to configure the access list at the source side and

the destination side, some configuration may fail because of massive resource consumption. In this

case, you need to use the fashion of designating the port range at one side, and use the fashion of

designating the port at another side.

 When the port range filtration is performed, too many resources will be occupied. If the port range

filtration is used too much, the access list cannot support other programs as well as before.

2. Port-based IP access list supporting TCP/UDP designated port filtration

In the following example, the first line allows any new TCP to connect the SMTP port of host 130.2.1.2.

ip access-list extended aaa

permit tcp any 130.2.1.2 255.255.255.255 eq 25

interface f0/10

ip access-group aaa