Brocade BigIron RX Series Configuration Guide User Manual

Page 690

Advertising
background image

612

BigIron RX Series Configuration Guide

53-1002484-04

Configuring numbered and named ACLs

22

The <string> parameter is the ACL name. You can specify a string of up to 255 alphanumeric
characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for
example, “ACL for Net1”). The <num> parameter allows you to specify an ACL number if you prefer.
If you specify a number, you can specify from 1 – 99 for standard ACLs or 100 – 199 for extended
ACLs.

NOTE

For convenience, the software allows you to configure numbered ACLs using the syntax for named
ACLs. The software also still supports the older syntax for numbered ACLs. Although the software
allows both methods for configuring numbered ACLs, numbered ACLs are always formatted in the
startup-config and running-config files in using the older syntax, as follows.

access-list 1 deny host 209.157.22.26 log

access-list 1 deny 209.157.22.0 0.0.0.255 log

access-list 1 permit any

access-list 101 deny tcp any any eq http log

The options at the ACL configuration level and the syntax for the ip access-group command are the
same for numbered and named ACLs and are described in

“Configuring standard numbered ACLs”

on page 600.

Configuration example for extended ACL

To configure a named extended ACL entry, enter commands such as the following.

Syntax: [no] ip access-list extended <string> | <num> deny | permit <ip-protocol>

<source-ip> | <hostname> <wildcard>
[<operator> <source-tcp/udp-port>]
<destination-ip> | <hostname> <wildcard>
[<operator> <destination-tcp/udp-port>]
[match-all <tcp-flags>] [match-any <tcp-flags>]
[<icmp-type>] [established] [precedence <name> | <num>]
[tos <number>] [dscp-matching <number>]
[802.1p-priority-matching <number>]
[dscp-marking <number> 802.1p-priority-marking <number> internal-priority-marking
<number>]
[dscp-marking <number> dscp-cos-mapping]
[dscp-cos-mapping]
[fragment] [non-fragment] [first-fragment]
[fragment-offset <number>]
[spi <00000000 - ffffffff>] [log]

The 16 x 10 GE module only supports the following extended named ACLs.

Syntax: [no] ip access-list extended<string> | <num> deny | permit <ip-protocol>

<source-ip> | <hostname> <wildcard>
[<operator> <source-tcp/udp-port>]
<destination-ip> | <hostname> <wildcard>

BigIron RX(config)# ip access-list extended block_telnet

BigIron RX(config-ext-nacl)# deny tcp host 209.157.22.26 any eq telnet log

BigIron RX(config-ext-nacl)# permit ip any any

BigIron RX(config-ext-nacl)# exit

BigIron RX(config)# interface ethernet 1/1

BigIron RX(config-if-e10000-1/1)# ip access-group block_telnet in

Advertising
Popular Brands
Popular manuals