Super acl syntax – Brocade BigIron RX Series Configuration Guide User Manual

Page 692

Advertising
background image

614

BigIron RX Series Configuration Guide

53-1002484-04

Configuring numbered and named ACLs

22

Super ACL syntax

Syntax: [no] access-list <num> deny | permit |

any |
log |
src-mac <src-mac> <mask> |
dst-mac <dst-mac> <mask> |
vlan-id <vlan-id> |
ip-pkt-len <pkt-len> |
ip-fragment-match {[fragment [fragment-offset <0 - 8191>]] | [non-fragment] |
[first-fragment]} |
ip-protocol <ip-protocol> |
sip {<source-ip>/<source-ip-mask-len> | host <hostname>} |
dip {<destination-ip>/<destination-ip-len> | host <hostname>} |
sp <operator> <source-tcp/udp-port> |
dp <operator> <destination-tcp/udp-port> |
icmp-detail <icmp-type-code> |
dscp-matching <0 – 63> |
802.1p-priority-matching <0 - 7> |
ipsec-spi <00000000 - ffffffff> |
qos-marking {[dscp <0 - 63> 802.1p-priority-marking <0 - 7> internal-priority-marking <0 -
7>] |
[dscp <0 - 63> dscp-cos-mapping] | [use-packet-dscp dscp-cos-mapping]} | tcp-flags
{[match-all <tcp flags>] | [match-any <tcp flags>] | [established]} |
<tcp flags> = [{+|-}urg] [{+|-}ack] [{+|-}psh] [{+|-}rst] [{+|-}syn] [{+|-}fin]
<icmp-type-code> = <type> <code> | <well-known type/code>

Most of the keywords in this syntax are self-explanatory, and work the same way as the keywords
IPv4 and MAC ACLs. The QoS options are also similar to those in the IPv4 ACL, however, in super
ACL the three QoS marking modes are grouped under the keyword qos-marking to simplify the
syntax.

General parameters for super ACLs

The following parameters apply to super ACLs:

num

The ACL ID. Enter 500 – 599 for super ACLs.

deny | permit

Enter deny if the packets that match the policy are to be dropped; permit if they are
to be forwarded.

any

Matches any packet

log

Enables logging for denied packets. ACL logging is disabled by default; it must be
explicitly enabled on a port.
NOTE: Logging is not currently supported on management interfaces.

src-mac

Specifies the source MAC address for the policy. Alternatively, you can specify the
host name. If you want the policy to match on all source addresses, enter any.

dst-mac

Specifies the destination MAC address for the policy. Alternatively, you can specify
the host name. If you want the policy to match on all destination addresses, enter
any.

NOTE: To specify the host name instead of the IP address, the host name must be configured using the ip dns

server-address… command at the global CONFIG level of the CLI.

vlan-id

Specifies the VLAN id

Advertising
Popular Brands
Popular manuals