Configuration examples for extended numbered acls – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 943

Advertising
background image

Brocade TurboIron 24X Series Configuration Guide

909

53-1003053-01

Configuring extended numbered ACLs

NOTE

This value is not supported on 10 Gbps Ethernet modules.

normal or 0 – The ACL matches packets that have the normal ToS. The decimal value for this
option is 0.

<num> – A number from 0 – 15 that is the sum of the numeric values of the options you want.
The ToS field is a four-bit field following the Precedence field in the IP header. You can specify
one or more of the following. To select more than one option, enter the decimal value that is
equivalent to the sum of the numeric values of all the ToS options you want to select. For
example, to select the max-reliability and min-delay options, enter number 10. To select all
options, select 15.

The dscp-marking option enables you to configure an ACL that marks matching packets with a
specified DSCP value Enter a value from 0 – 63.

The dscp-matching option matches on the packet DSCP value. Enter a value from 0 – 63. This
option does not change the packet forwarding priority through the device or mark the packet. Refer
to

“DSCP matching”

on page 924.

The log parameter enables SNMP traps and Syslog messages for packets denied by the ACL.

You can enable logging on ACLs and filters that support logging even when the ACLs and filters are
already in use. To do so, re-enter the ACL or filter command and add the log parameter to the end
of the ACL or filter. The software replaces the ACL or filter command with the new one. The new
ACL or filter, with logging enabled, takes effect immediately.

The traffic-policy option enables the device to rate limit inbound traffic and to count the packets
and bytes per packet to which ACL permit or deny clauses are applied. For configuration
procedures and examples, refer to

Chapter 29, “Configuring Traffic Policies”

.

Configuration examples for extended numbered ACLs

To configure an extended access list that blocks all Telnet traffic received on port 1 from IP host
10.157.22.26, enter the following commands.

Here is another example of commands for configuring an extended ACL and applying it to an
interface. These examples show many of the syntax choices. Notice that some of the entries are
configured to generate log entries while other entries are not thus configured.

The first entry permits ICMP traffic from hosts in the 10.157.22.x network to hosts in the
10.157.21.x network.

TurboIron(config)#access-list 101 deny tcp host 10.157.22.26 any eq telnet log

TurboIron(config)#access-list 101 permit ip any any

TurboIron(config)#int eth 1

TurboIron(config-if-e10000-1)#ip access-group 101 in

TurboIron(config)#write memory

TurboIron(config)#access-list 102 perm icmp 10.157.22.0/24 10.157.21.0/24

TurboIron(config)#access-list 102 deny igmp host rkwong 10.157.21.0/24 log

TurboIron(config)#access-list 102 deny igrp 10.157.21.0/24 host rkwong log

TurboIron(config)#access-list 102 deny ip host 10.157.21.100 host 10.157.22.1 log

TurboIron(config)#access-list 102 deny ospf any any log

TurboIron(config)#access-list 102 permit ip any any

Advertising
Popular Brands
Popular manuals