Configuring extended numbered acls, Configuring extended numbered, Acls – Brocade BigIron RX Series Configuration Guide User Manual
Page 680
602
BigIron RX Series Configuration Guide
53-1002484-04
Configuring numbered and named ACLs
22
Parameters to bind standard ACLs to an interface
Use the ip access-group command to bind the ACL to an inbound interface and enter the ACL
number for <num>.
Configuring extended numbered ACLs
This section describes how to configure extended numbered ACLs.
•
For configuration information on named ACLs, refer to
“Configuring numbered and named
•
For configuration information on standard ACLs, refer to
“Configuring standard numbered
Extended ACLs let you permit or deny packets based on the following information:
•
IP protocol
•
Source IP address or host name
•
Destination IP address or host name
•
Source TCP or UDP port (if the IP protocol is TCP or UDP)
<
wildcard>
Specifies the portion of the source IP host address to match against. The
<
wildcard> is a four-part value in dotted-decimal notation (IP address format)
consisting of ones and zeros. Zeros in the mask mean the packet’s source address
must match the
<
source-ip>. Ones mean any value matches. For example, the
<
source-ip> and
<
wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts
in the Class C subnet 209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing
(CIDR) format, you can enter a forward slash after the IP address, then enter the
number of significant bits in the mask. For example, you can enter the CIDR
equivalent of “209.157.22.26 0.0.0.255” as “209.157.22.26/24”. The CLI
automatically converts the CIDR number into the appropriate ACL mask (where zeros
instead of ones are the significant bits) and changes the non-significant portion of
the IP address into zeros. For example, if you specify 209.157.22.26/24 or
209.157.22.26 0.0.0.255, then save the changes to the startup-config file, the
value appears as 209.157.22.0/24 (if you have enabled display of subnet lengths)
or 209.157.22.0 0.0.0.255 in the startup-config file.
If you enable the software to display IP subnet masks in CIDR format, the mask is
saved in the file in “/
<
mask-bits>” format. You can use the CIDR format to configure
the ACL entry regardless of whether the software is configured to display the masks
in CIDR format.
NOTE: If you use the CIDR format, the ACL entries appear in this format in the
running-config and startup-config files, but are shown with subnet mask in
the display produced by the show access-list command.
host
<
source-ip> |
<
hostname>
Specify a host IP address or name. When you use this parameter, you do not need to
specify the mask. A mask of all zeros (0.0.0.0) is implied.
any
Use this parameter to configure the policy to match on all host addresses.
log
Configures the device to generate Syslog entries and SNMP traps for packets that
are denied by the access policy. If you use the log argument, the ACL entry is sent to
the CPU for processing. Refer to
on page 626 for more information.
You can enable logging on ACLs that support logging even when the ACLs are already
in use. To do so, re-enter the ACL command and add the log parameter to the end of
the ACL entry. The software replaces the ACL command with the new one. The new
ACL, with logging enabled, takes effect immediately.