1.2.4 Settings for forwarding and discarding in IP and TCP/UDP headers
- <Structure of this section>
(1) Sets IPv4 address as the flow-detection condition.
The following shows an example of specifying frame forwarding and discarding based on specification of IPv4 address as the flow detection condition.
- Points to note
- 
                  When frames are received, flow detection is performed based on the source IPv4 address.The frames that match the filter entry are forwarded. All IP packets that do not match the filter entry are discarded. 
Command examples
- 
                  (config)# ip access-list standard FLOOR_A_PERMIT Create ip access-list(FLOOR_A_PERMIT). By creating this list, the operating mode of IPv4 address filtering is entered. 
- 
                  (config-std-nacl)# permit 192.168.0.0 0.0.0.255 Sets an IPv4 address filter that forwards the frames from the source IP address 192.168.0.0/24 network. 
- 
                  (config-ext-nacl)# exit Returns to global configuration mode from IPv4 address filtering mode. 
- 
                  (config)# interface vlan 10 Switches to the interface mode for VLAN10. 
- 
                  (config-if)# ip access-group FLOOR_A_PERMIT in Enables IPv4 filtering on the receiving side. 
(2) Sets IPv4 packets as flow detection conditions.
The following shows an example of specifying frame forwarding and discarding based on specification of IPv4 Telnet packet as the flow detection condition.
- Points to note
- 
                  When frames are received, flow detection is performed based on the IP header or TCP/UDP header, and the frames that match the filter entry are discarded. 
Command examples
- 
                  (config)# ip access-list extended TELNET_DENY Create a ip access-list (TELNET_DENY). By creating this list, the operating mode of IPv4 packet filter is changed. 
- 
                  (config-ext-nacl)# deny tcp any any eq telnet Sets an IPv4 packet filter that discards Telnet packets. 
- 
                  (config-ext-nacl)# permit ip any any Sets an IPv4 packet filter that forwards all frames. 
- 
                  (config-ext-nacl)# exit Returns to global configuration mode from IPv4 address filtering mode. 
- 
                  (config)# interface vlan 10 Switches to the interface mode for VLAN10. 
- 
                  (config-if)# ip access-group TELNET_DENY in Enables IPv4 filtering on the receiving side. 
(3) Sets TCP/UDP port number as the flow-detection condition.
The following shows an example in which a frame is forwarded or discarded using a UDP port number as the flow-detection condition.
- Points to note
- 
                  When a frame is received, the flow is detected according to the destination port number in UDP header. The frame matching the filter entry is discarded. 
Command examples
- 
                  (config)# ip access-list extended PORT_RANGE_DENY Create a ip access-list (PORT_RANGE_DENY). By creating this list, the operating mode of IPv4 packet filter is changed. 
- 
                  (config-ext-nacl)# deny udp any any eq 10 Configures IPv4 packet filtering to discard packets whose destination port number in UDP headers is 10. 
- 
                  (config-ext-nacl)# permit ip any any Sets an IPv4 packet filter that forwards all frames. 
- 
                  (config-ext-nacl)# exit Returns to global configuration mode from IPv4 address filtering mode. 
- 
                  (config)# interface vlan 10 Switches to the interface mode for VLAN10. 
- 
                  (config-if)# ip access-group PORT_RANGE_DENY in Enables IPv4 filtering on the receiving side. 
(4) Sets IPv6 packets as flow detection conditions.
The following shows an example in which a IPv6 packet is used as the flow detection condition and frames are forwarded or discarded.
- Points to note
- 
                  When a frame is received, a flow is detected by IPv6 address. The frames matching the filter entry are forwarded. All IPv6 packets that do not match the filter entry are discarded. 
Command examples
- 
                  (config)# ipv6 access-list FLOOR_B_PERMIT Create ipv6 access-list(FLOOR_B_PERMIT). By creating this list, the operating mode of IPv6 packet filter is changed. 
- 
                  (config-ipv6-acl)# permit ipv6 2001:100::1/64 any Sets an IPv6 packet filter that forwards frames from source IP address 2001:100::1/64. 
- 
                  (config-ipv6-acl)# exit Returns to global configuration mode from IPv6 packet filtering mode. 
- 
                  (config)# interface gigabitethernet 1/0/1 Moves to port 1/0/1 interface mode. 
- 
                  (config-if)# ipv6 traffic-filter FLOOR_B_PERMIT in Enables IPv6 filtering on the receiving side.