Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual
Page 908
896
Brocade Mobility RFS Controller CLI Reference Guide
53-1003098-01
12
deny ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host
<DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
from-vlan <VLAN-ID>
Specifies a single VLAN or a range of VLANs as the match criteria. ICMP packets received from the VLANs
identified here are dropped.
•
<VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs
separated by a hyphen (for example, 12-20).
Use this option with WLANs and port ACLs.
host
<SOURCE-HOST-IP>
Identifies a specific host (as the source to match) by its IP address. ICMP packets received from the specified
host are dropped.
•
<SOURCE-HOST-IP> – Specify the source host’s exact IP address in the A.B.C.D format.
<DEST-IP/MASK>
Specifies the destination IP address and mask (A.B.C.D/M) to match. ICMP packets addressed to specified
destinations are dropped.
<NETWORK-GROUP-ALIA
S-NAME>
Applies a network-group alias to identify the destination IP addresses. ICMP packets destined for addresses
identified by the network-group alias are dropped.
•
<NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and
configured).
any
Specifies the destination as any IP address. ICMP packets addressed to any destination are dropped.
host <DEST-HOST-IP>
Identifies a specific host (as the destination to match) by its IP address. ICMP packets addressed to the
specified host are dropped.
•
<DEST-HOST-IP> – Specify the destination host’s exact IP address in the A.B.C.D format.
<ICMP-TYPE>
Defines the ICMP packet type
For example, an ICMP type 0 indicates it is an ECHO REPLY, and type 8 indicates it is an ECHO.
<ICMP-CODE>
Defines the ICMP message type
For example, an ICMP code 3 indicates “Destination Unreachable”, code 1 indicates “Host Unreachable”, and
code 3 indicates “Port Unreachable.”
After specifying the source and destination IP address(es), the ICMP message type, and the ICMP code,
specify the action taken in case of a match.
log
Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a ICMP
packet is received from a specified IP address and/or is destined for a specified IP address), an event is
logged.
rule-precedence
<1-5000>
rule-description <LINE>
The following keywords are recursive and common to all of the above parameters:
•
rule-precedence – Assigns a precedence for this deny rule
•
<1-5000> – Specify a value from 1 - 5000.
•
rule-description – Optional. Configures a description for this deny rule. Provide a description that
uniquely identifies the purpose of this rule (should not exceed 128 characters in length).
ip
Applies this deny rule to IP packets only
<SOURCE-IP/MASK>
Specifies the source IP address and mask (A.B.C.D/M) to match. IP packets received from the specified
networks are dropped.
<NETWORK-GROUP-ALIA
S-NAME>
Applies a network-group alias to identify the source IP addresses. IP packets received from the addresses
identified by the network-group alias are dropped.
•
<NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and
configured).
any
Specifies the source as any IP address. IP packets received from any source are dropped.
from-vlan <VLAN-ID>
Specifies a single VLAN or a range of VLANs as the match criteria. IP packets received from the specified
VLANs are dropped.
•
<VLAN-ID> – Specify the VLAN ID. To configure a range of VLAN IDs, enter the start and end VLAN IDs
separated by a hyphen (for example, 12-20).
Use this option with WLANs and port ACLs.