Creating an extended ip or ipv6 acl – Brocade Network OS NETCONF Operations Guide v4.1.1 User Manual

Page 448

Advertising
background image

416

Network OS NETCONF Operations Guide

53-1003231-02

IP ACL

28

Creating an extended IP or IPv6 ACL

To create an extended IP ACL, perform the following steps.

1. Issue the <edit-config> RPC to configure the <ip-acl> or <ipv6-acl> node in the

urn:brocade.com:mgmt:brocade-ip-access-list or
urn:brocade.com:mgmt:brocade-ipv6-access-list namespace, respectively.

2. Under the <ip-acl> or <ipv6-acl> node, include the <ip> or <ipv6> node element.

3. Under the <ip> or <ipv6> node, include the <access-list>/<extended> hierarchy of node

elements.

4. Under the <extended> node, include the <name> leaf element and set its value to the name of

the ACL you want to configure.

5. Under the <extended> element, specify a <seq> list element node for each rule you want to

add to the access list.

6. Under each <seq> node, include the following leaf elements.

a. In the <seq-id> element, set a sequence number for the rule to identify the rule and

determine the sequence in which rules are applied (lowest <seq-id> first).

b. In the <action> element, specify “deny” to create a rule in the IP ACL to drop traffic when

the rule conditions are met, “permit” to create a rule in the IP ACL to permit traffic, or
“hard-drop” to create a rule in the IP ACL to force drop traffic.

c. Additional elements that specify the source and destination switch or source and

destination ports for which traffic is permitted or denied.

For a complete list of <seq> node leaf elements, refer to the brocade-ip-access-list.yang file or
the brocade-ipv6-access-list.yang file.

The following example creates an extended IP ACL named extdACL5 that includes the following
rules:

Rule 5 denies TCP traffic from host 10.24.26.145 or bound for port 23 on any destination host.

Rule 7 denies TCP traffic from any source host on port 80 of any destination port.

Rule 10 denies UDP traffic from any source host to ports in the range 10 through 25 on any
destination host.

<?xml version="1.0" encoding="UTF-8"?>

<rpc message-id="2409" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">

<edit-config>

<target>

<running/>

</target>

<config>

<ip-acl xmlns="urn:brocade.com:mgmt:brocade-ip-access-list">

<ip>

<access-list>

<extended>

<name>extdACL5</name>

<seq>

<seq-id>5</seq-id>

<action>deny</action>

<protocol-type>tcp</protocol-type>

<src-host-any-sip>host</src-host-any-sip>

<src-host-ip>10.24.26.145</src-host-ip>

<dst-host-any-dip>any</dst-host-any-dip>

Advertising
See also other documents in the category Brocade Computer Accessories: