Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual
Page 911
Brocade Mobility RFS Controller CLI Reference Guide
899
53-1003098-01
12
deny [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan
<VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq
<SOURCE-PORT>|
host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq
[<1-65535>|<SERVICE-NAME>|bgp|
dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www
]|
range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>)
{(rule-description <LINE>)}
log
Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a packet
(EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) is received from a specified IP address and/or is destined for a
specified IP address), an event is logged.
rule-precedence
<1-5000>
rule-description <LINE>
The following keywords are recursive and common to all of the above parameters:
•
rule-precedence – Assigns a precedence for this deny rule
•
<1-5000> – Specify a value from 1 - 5000.
Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with
precedence 10.
•
rule-description – Optional. Configures a description for this deny rule. Provide a description that
uniquely identifies the purpose of this rule (should not exceed 128 characters in length).
tcp
Applies this deny rule to TCP packets only
udp
Applies this deny rule to UDP packets only
<SOURCE-IP/MASK>
This keyword is common to the ‘tcp’ and ‘udp’ parameters.
Specifies the source IP address and mask (A.B.C.D/M) to match. TCP/UDP packets received from the
specified sources are dropped.
<NETWORK-GROUP-ALIAS
-NAME>
This keyword is common to the ‘tcp’ and ‘udp’ parameters.
Applies a network-group alias to identify the source IP addresses. TCP/UDP packets received from the VLANs
identified here are dropped.
•
<NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name (should be existing and
configured).
After specifying the source and destination IP address(es), specify the action taken in case of a match.
any
This keyword is common to the ‘tcp’ and ‘udp’ parameters.
Specifies the source as any IP address. TCP/UDP packets received from any source are dropped.
from-vlan <VLAN-ID>
This keyword is common to the ‘tcp’ and ‘udp’ parameters.
Specifies a single VLAN or a range of VLANs as the match criteria. TCP/UDP packets received from the VLANs
identified here are dropped.
•
<VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs
separated by a hyphen (for example, 12-20).
Use this option with WLANs and port ACLs.
host
<SOURCE-HOST-IP>
Identifies a specific host (as the source to match) by its IP address. TCP/UDP packets received from the
specified host are dropped.
•
<SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.
<DEST-IP/MASK>
This keyword is common to the ‘tcp’ and ‘udp’ parameters.
Sets the destination IP address and mask (A.B.C.D/M) to match. TCP/UDP packets addressed to the
specified destinations are dropped.
any
This keyword is common to the ‘tcp’ and ‘udp’ parameters.
Specifies the destination as any destination IP address. TCP/UDP packets received from any destination are
dropped.
eq <SOURCE-PORT>
Identifies a specific source port
•
<SOURCE-PORT> – Specify the exact source port.