Configuring super acls, Configuring, Super acls – Brocade BigIron RX Series Configuration Guide User Manual

Page 691: Super acl filters

Advertising
background image

BigIron RX Series Configuration Guide

613

53-1002484-04

Configuring numbered and named ACLs

22

[<operator> <destination-tcp/udp-port>]
[match-all <tcp-flags>] [match-any <tcp-flags>]
[<icmp-type>] [established] [precedence <name> | <num>]

Syntax: [no] ip access-list extended <string> | <num> deny | permit host <ip-protocol> any any

[log]

Syntax: [no] ip access-group <num> in

The options at the ACL configuration level and the syntax for the ip access-group command are the
same for numbered and named ACLs and are described in

“Configuring extended numbered ACLs”

on page 602.

Configuring super ACLs

This section describes how to configure super ACLs with numeric IDs.

For configuration information on named ACLs, refer to

“Configuring standard or extended

named ACLs”

on page 611.

For configuration information on extended ACLs, refer to

“Configuring extended numbered

ACLs”

on page 602.

Egress Super ACLs are not supported on the RX-BI-16XG (16 x 10 GE) modules

Super ACLs can match on fields in a Layer 2 or Layer 4 packet header. You can configure up to 99
super ACLs, using the number range 500 - 599. For the number of ACL entries supported on a
BigIron RX, refer to

“ACL IDs and entries”

on page 595.

Super ACL syntax is keyword-based. You specify the conditions to match as keyword-value pairs.
Each keyword-value pair (called a “match-item”) specifies a field in the packet header (L2, L3 or L4)
to be checked, and gives the allowable value for this field. Fields not specified are called “don’t
care” fields, and are considered to be matched. The match-items may be specified in any order
with one exception: because of its variable length, tcp-flags must be specified as the last item in a
filter. The complete syntax of super ACLs is described in the next section.

NOTE

Super ACLs are not supported on management interfaces or outbound ACLs on RX-BI-16XG (16 x 10
GE) interfaces.

Super ACL filters

Some super ACL filters are shown in the following examples.

The following filter denies IPv4 TCP packets.

BigIron RX(config)#access-list 500 deny ip-protocol tcp

The following filter denies any packet with a source MAC address of 0000.0000.0011 and a source
IP address from 30.30.30.0 to 30.30.30.255.

BigIron RX(config)#access-list 500 deny src-mac 0000.0000.0011

ffff.ffff.ffff. sip 30.30.30.0/24

The following filter denies any IPv4 packet passing through the interface.

BigIron RX(config)#access-list 500 deny any

Advertising
Popular Brands
Popular manuals