Open as PDF
408 CHAPTER 19: CONFIGURING AND MANAGING SECURITY ACLS
WX1200# set security acl ip SVP permit cos 7 119 0.0.0.0
255.255.255.255 0.0.0.0 255.255.255.255
WX1200# set security acl ip SVP permit 0.0.0.0
WX1200# set security acl map SVP vlan v1 in
WX1200# set security acl map SVP vlan v1 out
WX1200# commit security acl SVP
The first ACE is needed only if the active-scan feature is enabled in the
radio profile. The ACE ensures that active-scan reduces its off-channel
time in the presence of FTP traffic from the TFTP server, by setting the CoS
of the server traffic to 7. This ACE gives CoS 7 to UDP traffic from TFTP
server 10.2.4.69 to any IP address, to or from any UDP port other than 0.
(For more information, see “RF Detection Scans” on page 571.)
The second ACE sets CoS to 7 for all SVP traffic.
The third ACE matches on all traffic that does not match on either of the
Reason the ACL Needs To Be Mapped to Both Traffic Directions If
the ACL is not also mapped to the inbound direction on the voice VLAN,
CoS will not be marked in the traffic if the path to the SVP handset is over
a tunnel. MSS does not support mapping an ACL to a tunneled VLAN.
When configured in a Mobility Domain, WX switches dynamically create
tunnels to bridge clients to non-local VLANs. A non-local VLAN is a VLAN
that is not configured on the WX that is forwarding the client's traffic. MSS
does not support mapping an ACL to a non-local VLAN. The CLI accepts the
configuration command but the command is not saved in the configuration.
Consider switch-1 with VLAN_A and switch-2 with VLAN_B. If a handset
connected to switch-2 is placed in VLAN_A, a tunnel is created between
switch-1 and switch-2. If an ACL is mapped to VLAN_A-out on switch-1,
it will affect local clients but not clients using the same VLAN on switch-2.
Also, if an ACL is mapped to VLAN_A-in on switch-1, it will affect remote
clients on switch-2, but not local clients. 3Com recommends mapping
ACLs both vlan-in and vlan-out to ensure proper CoS marking in both