Configuration Guide Vol. 2

1.2.5 Settings for forwarding and discarding in IP and TCP/UDP headers

<Structure of this section>

(1) Sets IPv4 address as the flow-detection condition.

The following shows an example of specifying frame forwarding and discarding based on specification of IPv4 address as the flow detection condition.

Points to note

When frames are received, flow detection is performed based on the source IPv4 address.The frames that match the filter entry are forwarded. All IP packets that do not match the filter entry are discarded.

Command examples

  1. (config)# ip access-list standard FLOOR_A_PERMIT

    Create ip access-list(FLOOR_A_PERMIT). By creating this list, the operating mode of IPv4 address filtering is entered.

  2. (config-std-nacl)# permit 192.168.0.0 0.0.0.255

    Sets an IPv4 address filter that forwards the frames from the source IP address 192.168.0.0/24 network.

  3. (config-ext-nacl)# exit

    Returns to global configuration mode from IPv4 address filtering mode.

  4. (config)# interface vlan 10

    Switches to the interface mode for VLAN10.

  5. (config-if)# ip access-group FLOOR_A_PERMIT in

    Enables IPv4 filtering on the receiving side.

(2) Sets IPv4 packets as flow detection conditions.

The following shows an example of specifying frame forwarding and discarding based on specification of IPv4 Telnet packet as the flow detection condition.

Points to note

When frames are received, flow detection is performed based on the IP header or TCP/UDP header, and the frames that match the filter entry are discarded.

Command examples

  1. (config)# ip access-list extended TELNET_DENY

    Create a ip access-list (TELNET_DENY). By creating this list, the operating mode of IPv4 packet filter is changed.

  2. (config-ext-nacl)# deny tcp any any eq telnet

    Sets an IPv4 packet filter that discards Telnet packets.

  3. (config-ext-nacl)# permit ip any any

    Sets an IPv4 packet filter that forwards all frames.

  4. (config-ext-nacl)# exit

    Returns to global configuration mode from IPv4 address filtering mode.

  5. (config)# interface vlan 10

    Switches to the interface mode for VLAN10.

  6. (config-if)# ip access-group TELNET_DENY in

    Enables IPv4 filtering on the receiving side.

(3) Sets TCP/UDP port-number range as the flow-detection condition.

The following shows an example of specifying frame forwarding and discarding based on specification of a range of UDP port numbers as the flow detection condition.

Points to note

When frames are received, flow detection is performed based on the range of destination port numbers in the UDP header, and the frames that match the filter entry are discarded.

Command examples

  1. (config)# ip access-list extended PORT_RANGE_DENY

    Create a ip access-list (PORT_RANGE_DENY). By creating this list, the operating mode of IPv4 packet filter is changed.

  2. (config-ext-nacl)# deny udp any any range 10 20

    Configure IPv4 packet filtering to discard packets whose destination port number in UDP headers is 10 to 20.

  3. (config-ext-nacl)# permit ip any any

    Sets an IPv4 packet filter that forwards all frames.

  4. (config-ext-nacl)# exit

    Returns to global configuration mode from IPv4 address filtering mode.

  5. (config)# interface vlan 10

    Switches to the interface mode for VLAN10.

  6. (config-if)# ip access-group PORT_RANGE_DENY in

    Enables IPv4 filtering on the receiving side.

(4) Sets IPv6 packets as flow detection conditions.

The following shows an example of specifying frame forwarding and discarding based on specification of IPv6 packet as the flow detection condition.

Points to note

When frames are received, flow detection is performed based on IP address, and the frames that match the filter entry are forwarded. All IP packets that do not match the filter entry are discarded.

Command examples

  1. (config)# ipv6 access-list FLOOR_B_PERMIT

    Create ipv6 access-list(FLOOR_B_PERMIT). By creating this list, the operating mode of IPv6 packet filter is changed.

  2. (config-ipv6-acl)# permit ipv6 2001:100::1/64 any

    Sets an IPv6 packet filter that forwards frames from source IP address 2001:100::1/64.

  3. (config-ipv6-acl)# exit

    Returns to global configuration mode from IPv6 packet filtering mode.

  4. (config)# interface gigabitethernet 1/0/1

    Moves to port 1/0/1 interface mode.

  5. (config-if)# ipv6 traffic-filter FLOOR_B_PERMIT in

    Enables IPv6 filtering on the receiving side.

[Product name label]

All Rights Reserved, Copyright(C), 2017, 2023, ALAXALA Networks, Corp.