Configuring standard numbered acls, Standard acl syntax – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 69

Advertising
background image

ServerIron ADX Security Guide

55

53-1002440-03

Configuring numbered and named ACLs

2

Configuring standard numbered ACLs

This section describes how to configure standard numbered ACLs with numeric IDs:

For configuration information on named ACLs, refer to

“Configuring standard or extended

named ACLs”

on page 62.

For configuration information on extended ACLs, refer to

“Configuring extended numbered

ACLs”

on page 56.

Standard ACLs permit or deny packets based on source IP address. You can configure up to 99
standard ACLs. There is no limit to the number of ACL entries an ACL can contain except for the
system-wide limitation. For the number of ACL entries supported on a device, refer to

“ACL IDs and

entries”

on page 52.

To configure a standard ACL and apply it to outgoing traffic on port 1/1, enter the following
commands.

ServerIronADX(config)# access-list 1 deny host 209.157.22.26

ServerIronADX(config)# access-list 1 deny 209.157.29.12

ServerIronADX(config)# access-list 1 deny host IPHost1

ServerIronADX(config)# access-list 1 permit any

ServerIronADX(config)# int eth 1/1

ServerIronADX(config-if-1/1)# ip access-group 1 in

ServerIronADX(config)# write memory

The commands in this example configure an ACL to deny packets from three source IP addresses
from being forwarded on port 1/1. The last ACL entry in this ACL permits all packets that are not
explicitly denied by the first three ACL entries.

Standard ACL syntax

Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard>

or

Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname>

Syntax: [no] access-list <num> deny | permit host <source-ip> | <hostname>

Syntax: [no] access-list <num> deny | permit any

Syntax: [no] ip access-group <num> in | out

The <num> parameter is the access list number and can be from 1 – 99.

The deny | permit parameter indicates whether packets that match a policy in the access list are
denied (dropped) or permitted (forwarded).

The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host
name.

NOTE

To specify the host name instead of the IP address, the host name must be configured using the
Brocade device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address…
command at the global CONFIG level of the CLI.

Advertising
Popular Brands
Popular manuals