Configuring standard numbered acls, Standard numbered acl syntax – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 935

Advertising
background image

Brocade TurboIron 24X Series Configuration Guide

901

53-1003053-01

Configuring standard numbered ACLs

Devices support MAC filters instead of Layer 2 ACLs.

You can apply an ACL to a port that has TCP SYN protection or ICMP smurf protection, or both,
enabled.

NOTE

TurboIron X Series devices do not support ACLs on Group VEs, even though the CLI contains
commands for this action.

Configuring standard numbered ACLs

This section describes how to configure standard numbered ACLs with numeric IDs and provides
configuration examples.

Standard ACLs permit or deny packets based on source IP address. You can configure up to 99
standard numbered ACLs. There is no limit to the number of ACL entries an ACL can contain except
for the system-wide limitation. For the number of ACL entries supported on a device, refer to

“ACL

IDs and entries”

on page 898.

Standard numbered ACL syntax

Syntax: [no] access-list <ACL-num> deny | permit <source-ip> | <hostname> <wildcard> [log]

or

Syntax: [no] access-list <ACL-num> deny | permit <source-ip>/<mask-bits> | <hostname> [log]

Syntax: [no] access-list <ACL-num> deny | permit host <source-ip> | <hostname> [log]

Syntax: [no] access-list <ACL-num> deny | permit any [log]

Syntax: [no] ip access-group <ACL-num> in

The <ACL-num> parameter is the access list number from 1 – 99.

The deny | permit parameter indicates whether packets that match a policy in the access list are
denied (dropped) or permitted (forwarded).

The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host
name.

NOTE

To specify the host name instead of the IP address, the host name must be configured using the
DNS resolver on the device. To configure the DNS resolver name, use the ip dns server-address…
command at the global CONFIG level of the CLI.

The <wildcard> parameter specifies the mask value to compare against the host address specified
by the <source-ip> parameter. The <wildcard> is in dotted-decimal notation (IP address format). It
is a four-part value, where each part is 8 bits (one byte) separated by dots, and each bit is a one or
a zero. Each part is a number ranging from 0 to 255, for example 0.0.0.255. Zeros in the mask
mean the packet source address must match the <source-ip>. Ones mean any value matches. For
example, the <source-ip> and <wildcard> values 10.157.22.26 0.0.0.255 mean that all hosts in
the Class C subnet 10.157.22.x match the policy.

Advertising
Popular Brands
Popular manuals