Standard acl syntax – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

28

Brocade Virtual ADX Security Guide

53-1003250-01

Configuring numbered and named ACLs

2

The commands in this example configure an ACL to deny packets from three source IP addresses
from being forwarded on port 1/1. The last ACL entry in this ACL permits all packets that are not
explicitly denied by the first three ACL entries.

Standard ACL syntax

Syntax: [no] access-list num deny | permit source-ip | hostname wildcard

or

Syntax: [no] access-list num deny | permit source-ip/mask-bits | hostname

Syntax: [no] access-list num deny | permit host source-ip | hostname

Syntax: [no] access-list num deny | permit any

Syntax: [no] ip access-group num in

The num variable is the access list number and can be from 1 – 99.

The deny | permit parameter indicates whether packets that match a policy in the access list are
denied (dropped) or permitted (forwarded).

The source-ip variable specifies the source IP address. Alternatively, you can specify the host name.

NOTE

To specify the host name instead of the IP address, the host name must be configured using the
Brocade Virtual ADX device’s DNS resolver. To configure the DNS resolver name, use the ip dns
server-address… command at the global CONFIG level of the CLI.

The wildcard variable specifies the mask value to compare against the host address specified by
the source-ip variable. The wildcard is a four-part value in dotted-decimal notation (IP address
format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must
match the source-ip. Ones mean any value matches. For example, the source-ip and wildcard
values 10.157.22.26 0.0.0.255 mean that all hosts in the Class C subnet 10.157.22.x match the
policy.

If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after
the IP address, then enter the number of significant bits in the mask. For example, you can enter
the CIDR equivalent of “10.157.22.26 0.0.0.255” as “10.157.22.26/24”. The CLI automatically
converts the CIDR number into the appropriate ACL mask (where zeros instead of ones are the
significant bits) and changes the non-significant portion of the IP address into ones. For example, if
you specify 10.157.22.26/24 or 10.157.22.26 0.0.0.255, then save the changes to the
startup-config file, the value appears as 10.157.22.0/24 (if you have enabled display of subnet
lengths) or 10.157.22.0 0.0.0.255 in the startup-config file.

If you enable the software to display IP subnet masks in CIDR format, the mask is saved in the file
in “/mask-bits” format. To enable the software to display the CIDR masks, enter the ip
show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to
configure the ACL entry regardless of whether the software is configured to display the masks in
CIDR format.

NOTE

If you use the CIDR format, the ACL entries appear in this format in the running-config and
startup-config files, but are shown with subnet mask in the display produced by the show ip
access-list command.