Configuring the acls – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 141

Advertising
background image

Brocade ICX 6650 Security Configuration Guide

121

53-1002601-01

Policy Based Routing

Configure a route map that matches on the ACLs and sets the route information.

Apply the route map to an interface.

Configuring the ACLs

PBR uses route maps to change the routing attributes in IP traffic. This section shows an example
of how to configure a standard ACL to identify the source subnet for IP traffic.

To configure a standard ACL to identify a source subnet, enter a command such as the following.

Brocade(config)# access-list 99 permit 10.157.23.0 0.0.0.255

The command in this example configures a standard ACL that permits traffic from subnet
10.157.23.0/24. After you configure a route map that matches based on this ACL, the software
uses the route map to set route attributes for the traffic, thus enforcing PBR.

NOTE

Do not use an access group to apply the ACL to an interface. Instead, use a route map to apply the
ACL globally or to individual interfaces for PBR, as shown in the following sections.

Syntax: [no]access-list num deny | permit source-ip | hostname wildcard

or

Syntax: [no]access-list num deny | permit source-ip/mask-bits |hostname

Syntax: [no]access-list num deny | permit host source-ip | hostname

Syntax: [no]access-list num deny | permit any

The num parameter is the access list number and can be from 1–99.

The deny | permit parameter indicates whether packets that match a policy in the access list are
denied (dropped) or permitted (forwarded).

NOTE

If you are configuring the ACL for use in a route map, always specify permit. Otherwise, the Brocade
device will ignore deny clauses and packets that match deny clauses are routed normally.

The source-ip parameter specifies the source IP address. Alternatively, you can specify the host
name.

NOTE

To specify the host name instead of the IP address, the host name must be configured using the
DNS resolver on the Brocade device. To configure the DNS resolver name, use the ip dns
server-address… command at the global CONFIG level of the CLI.

The wildcard parameter specifies the mask value to compare against the host address specified by
the source-ip parameter. The wildcard is in dotted-decimal notation (IP address format). It is a
four-part value, where each part is 8 bits (one byte) separated by dots, and each bit is a one or a
zero. Each part is a number ranging from 0 to 255, for example 0.0.0.255. Zeros in the mask mean
the packet source address must match the source-ip. Ones mean any value matches. For example,
the source-ip and wildcard values 10.157.22.26 0.0.0.255 mean that all hosts in the Class A
subnet 10.157.22.x match the policy.

Advertising
Popular Brands
Popular manuals