Brocade Communications Systems Brocade ICX 6650 6650 Manuel D’Utilisation
114
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
QoS options for IP ACLs
The first entry in this ACL denies TCP traffic from the 10.157.21.x network to the 10.157.22.x
network, if the traffic has the IP precedence option “internet” (equivalent to “6”).
network, if the traffic has the IP precedence option “internet” (equivalent to “6”).
The second entry denies all FTP traffic from the 10.157.21.x network to the 10.157.22.x network, if
the traffic has the IP precedence value “6” (equivalent to “internet”).
the traffic has the IP precedence value “6” (equivalent to “internet”).
The third entry permits all packets that are not explicitly denied by the other entries. Without this
entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the
ACL.
entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the
ACL.
To configure an IP ACL that matches based on ToS, enter commands such as the following.
The first entry in this IP ACL denies TCP traffic from the 10.157.21.x network to the 10.157.22.x
network, if the traffic has the IP ToS option “normal” (equivalent to “0”).
network, if the traffic has the IP ToS option “normal” (equivalent to “0”).
The second entry denies all FTP traffic from the 10.157.21.x network to the 10.157.22.x network, if
the traffic has the IP ToS value “13” (equivalent to “max-throughput”, “min-delay”, and
“min-monetary-cost”).
the traffic has the IP ToS value “13” (equivalent to “max-throughput”, “min-delay”, and
“min-monetary-cost”).
The third entry permits all packets that are not explicitly denied by the other entries. Without this
entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the
ACL.
entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the
ACL.
TCP flags - edge port security
The edge port security feature works in combination with IP ACL rules and can be combined with
other ACL functions (such as dscp-marking and traffic policies), giving you greater flexibility when
designing ACLs.
other ACL functions (such as dscp-marking and traffic policies), giving you greater flexibility when
designing ACLs.
QoS options for IP ACLs
Quality of Service (QoS) options enable you to perform QoS for packets that match the ACLs. Using
an ACL to perform QoS is an alternative to directly setting the internal forwarding priority based on
incoming port, VLAN membership, and so on. (This method is described in Brocade ICX 6650
Platform and Layer 2 Switching Configuration Guide.)
an ACL to perform QoS is an alternative to directly setting the internal forwarding priority based on
incoming port, VLAN membership, and so on. (This method is described in Brocade ICX 6650
Platform and Layer 2 Switching Configuration Guide.)
The following QoS ACL options are supported:
•
dscp-cos-mapping – By default, the Brocade device does the 802.1p to CoS mapping.
•
dscp-marking – Marks the DSCP value in the outgoing packet with the value you specify.
•
internal-priority-marking and 802.1p-priority-marking – Supported with the DSCP marking
option, these commands assign traffic that matches the ACL to a hardware forwarding queue
(internal-priority-marking), and re-mark the packets that match the ACL with the 802.1p priority
(802.1p-priority-marking).
option, these commands assign traffic that matches the ACL to a hardware forwarding queue
(internal-priority-marking), and re-mark the packets that match the ACL with the 802.1p priority
(802.1p-priority-marking).
Brocade(config)# access-list 104 deny tcp 10.157.21.0/24 10.157.22.0/24 tos
normal
Brocade(config)# access-list 104 deny tcp 10.157.21.0/24 eq ftp 10.157.22.0/24
tos 13
Brocade(config)# access-list 104 permit ip any any
normal
Brocade(config)# access-list 104 deny tcp 10.157.21.0/24 eq ftp 10.157.22.0/24
tos 13
Brocade(config)# access-list 104 permit ip any any