Brocade BigIron RX Series Configuration Guide User Manual

Page 683

Advertising
background image

BigIron RX Series Configuration Guide

605

53-1002484-04

Configuring numbered and named ACLs

22

Syntax: [no] access-list <num> deny | permit <ip-protocol>

<source-ip> | <hostname> <wildcard>
[<operator> <source-tcp/udp-port>]
<destination-ip> | <hostname> <wildcard>
[<operator> <destination-tcp/udp-port>]
[match-all <tcp-flags>] [match-any <tcp-flags>]
[<icmp-type>] [established] [precedence <name> | <num>]
[tos <number>] [dscp-matching <number>]
[802.1p-priority-matching <number>]
[dscp-marking <number> 802.1p-priority-marking <number> internal-priority-marking
<number>] | [dscp-marking <number> dscp-cos-mapping] | [dscp-cos-mapping]
[fragment] [non-fragment] [first-fragment]
[fragment-offset <number>]
[spi <00000000 - ffffffff>] [log]

Syntax: [no] access-list <num> deny | permit host <ip-protocol> any any [log]

Syntax: [no] ip access-group <num> in

The 16 x 10 GE module only supports the following extended ACLs.

Syntax: [no] ip access-list <num> deny | permit <ip-protocol>

<source-ip> | <hostname> <wildcard>
[<operator> <source-tcp/udp-port>]
<destination-ip> | <hostname> <wildcard>
[<operator> <destination-tcp/udp-port>]
[match-all <tcp-flags>] [match-any <tcp-flags>]
[<icmp-type>] [established] [precedence <name> | <num>]

General parameters for extended ACLs

The following parameters apply to any extended ACL you are creating.

<

num>

Enter 100 – 199 for a super ACL.

deny | permit

Enter deny if the packets that match the policy are to be dropped; permit if they are
to be forwarded.

any

log

Add this parameter to the end of an ACL statement to enable the generation of
SNMP traps and Syslog messages for packets denied by the ACL.You can enable
logging on ACLs and filters that support logging even when the ACLs and filters are
already in use. To do so, re-enter the ACL or filter command and add the log
parameter to the end of the ACL or filter. The software replaces the ACL or filter
command with the new one. The new ACL or filter, with logging enabled, takes
effect immediately.
NOTE: Logging must be enable on the interface to which the ACL is bound before

SNMP traps and Syslog messages can be generated, even if the log
parameter is entered. Refer to

“ACL logging”

on page 626.

src-mac

<

src-mac>

<

mask> Specify the source MAC host for the policy. If you want the policy to match on all

source addresses, enter any.

Advertising
Popular Brands
Popular manuals