Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual
Page 909
Brocade Mobility RFS Controller CLI Reference Guide
897
53-1003098-01
12
deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp]
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|
host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description
<LINE>)}
host
<SOURCE-HOST-IP>
Identifies a specific host (as the source to match) by its IP address. IP packets received from the specified
host are dropped.
•
<SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.
<DEST-IP/MASK>
Specifies the destination IP address and mask (A.B.C.D/M) to match. IP packets addressed to the specified
networks are dropped.
any
Specifies the destination as any IP address. IP packets addressed to any destination are dropped.
host <DEST-HOST-IP>
Identifies a specific host (as the destination to match) by its IP address. IP packets addressed to the specified
host are dropped.
•
<DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.
<NETWORK-GROUP-ALIA
S-NAME>
Applies a network-group alias to identify the source IP addresses. IP packets destined for addresses identified
by the network-group alias are dropped.
•
<NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and
configured).
log
Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a IP packet
is received from a specified IP address and/or is destined for a specified IP address), an event is logged.
rule-precedence
<1-5000>
rule-description <LINE>
The following keywords are recursive and common to all of the above parameters:
•
rule-precedence – Assigns a precedence for this deny rule
•
<1-5000> – Specify a value from 1 - 5000.
Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence
10.
•
rule-description – Optional. Configures a description for this deny rule. Provide a description that
uniquely identifies the purpose of this rule (should not exceed 128 characters in length).
proto
Configures the ACL for additional protocols
Additional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter
<PROTOCOL-NUMBER>
Filters protocols using their Internet Assigned Numbers Authority (IANA) protocol number
•
<PROTOCOL-NUMBER> – Specify the protocol number.
<PROTOCOL-NAME>
Filters protocols using their IANA protocol name
•
<PROTOCOL-NAME> – Specify the protocol name.
eigrp
Identifies the Enhanced Internet Gateway Routing Protocol (EIGRP) protocol (number 88)
EIGRP enables routers to maintain copies of neighbors’ routing tables. Routers use this information to
determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it
sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers
to inform neighbors of changes in their routing tables.
gre
Identifies the General Routing Encapsulation (GRE) protocol (number 47)
GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP
network. GRE encapsulates the packet at the source and removes the encapsulation at the destination.
igmp
Identifies the Internet Group Management Protocol (IGMP) protocol (number 2)
IGMP establishes and maintains multicast group memberships to interested members. Multicasting allows a
networked computer to send content to multiple computers who have registered to receive the content. IGMP
snooping is for listening to IGMP traffic between an IGMP host and routers in the network to maintain a map
of the links that require multicast streams. Multicast traffic is filtered out for those links which do not require
them.