Support User Manuals

Force10 Networks S2410s Switch User Manual

Open as PDF

of 304

{deny|permit}

SFTOS Command Reference for the S2410, Version 2.4.1.0 289

Usage

A rule may either deny or permit traffic according to the specified classification fields. At a

minimum, the source and destination MAC value must be specified, each of which may be

substituted using the keyword

any to indicate a match on any value in that field. The

remaining command parameters are all optional, but the most frequently used parameters

appear in the same relative order as shown in the command format.

The srcmacmask variable uses a wildcard called an inverted mask. In an inverted mask, a zero in a

bit in the mask means “exact match required”. A one in a mask bit means “match anything here”. For

example:

• To deny all traffic from MAC address 00:00:00:00:03:02, the mask is 00:00:00:00:00:00.

• To deny all traffic from 00:00:00:00:03:xx, the mask is 00:00:00:00:00:ff.

The Ethertype (ethertypekey) may be specified as either a keyword or a four-digit

hexadecimal value from 0x0600-0xFFFF. The currently supported

ethertypekey values are:

appletalk, arp, ibmsna, ipv4, ipv6, ipx, mplsmcast, mplsucast, netbios, novell,

pppoe, and rarp. Each of these translates into its equivalent Ethertype value(s), as shown in

Table 23.

secondary-vlan

(Optional) As above, for the vlan keyword.

secondary-cos (Optional) As above, for the cos keyword.

assign-queue (Optional) The assign-queue parameter allows specification of a particular

hardware queue for handling traffic that matches this rule. The allowed

queue-id value is 0-(n-1), where n is the number of user configurable queues

available for the hardware platform. (See the Usage section, below.)

redirect (Optional) The redirect parameter redirects traffic matching this rule to the

specified egress port. The redirected packet carries the same MAC address

as it would have if it had not been redirected (the MAC address of the next

hop defined in the routing table). Basically, it looks like a mirrored packet on

the redirect port. (See the Usage section, below.)

Note: The no form of this command is not supported, as the rules within an ACL group

cannot be deleted individually. Rather, the entire ACL group must be deleted and

re-specified.

Table 23 Ethertype Keyword and 4-digit Hexadecimal Value

Ethertype Keyword Corresponding Value

appletalk 0x809B

arp 0x0806

ibmsna 0x80D5

ipv4 0x0800

ipv6 0x86DD

ipx 0x8037

mplsmcast 0x8848

mplsucast 0x8847

netbios 0x8191

previous next