Permitting ip based traffic – Brocade Communications Systems RFS6000 User Manual
Page 467
Brocade Mobility RFS4000, RFS6000 and RFS7000 CLI Reference Guide
465
53-1001931-01
Extended ACL config commands
14
Use this command to permit traffic between networks/hosts based on the protocol type
selected in the access list configuration. The following protocols are supported:
•
ip
•
icmp
•
tcp
•
udp
The last ACE in the access list is an implicit deny statement.
Whenever the interface receives the packet, its content is checked against all the ACEs in the
ACL. It is allowed based on the ACL configuration.
•
Filtering on TCP/UDP allows the user to specify port numbers as filtering criteria
•
Select ICMP to allow/deny packets. Selecting ICMP allows to filter ICMP packets based on type
and code
NOTE
The log option is functional only for router ACL’s. The log option displays an informational logging
message about the packet matching the entry sent to the console.
Permitting IP based traffic
The example below allows IP traffic from the source subnet to the destination subnet and denies
all other traffic over an interface:
permit [tcp|udp]
[<source-ip/mask>|any|ho
st <IP>] {eq
<source-port>|range
<starting-source-port>
<ending-source-port>}
[<dest-IP/Mask|any|host
<IP>] {eq <source-port>}
{range
<starting-source-port>
<ending-source-port>} {log}
{rule-precedence
<1-5000>}
Use with the permit command to allow TCP or UDP packets
•
deny – Rejects TCP or UDP packets
•
tcp|udp – Specifies TCP or UDP as the protocol
•
<source-IP/Mask>|any|host <IP> – The source is the
source IP address of the network or host (in dotted decimal
format). The source-mask is the network mask. For example,
10.1.1.10/24 indicates the first 24 bits of the source IP are
used for matching.
•
any – any is an abbreviation for a source IP of 0.0.0.0, and
the source-mask bits are equal to 0
•
host – host is an abbreviation for exact source (A.B.C.D) and
the source-mask bits equal to 32
•
eq <source-port> – The source port <source-port> to match.
Values in the range 1 to 65535.
•
range <starting-source-port> <ending-source-port> –
Specifies the protocol range (starting and ending protocol
numbers)
•
<dest-IP/mask|any|host <IP> – Defines the destination
host IP address or destination network address
•
eq <source-port>} {range <starting-source-port>
<ending-source-port> – Specifies the destination port or
range of ports. Port values are in the range of 1 to 65535.
•
log – Generates log messages when the packet coming from
the interface matches the ACL entry. Log messages are
generated only for router ACLs.
•
rule-precedence <1-5000> – Defines an integer value
between 1-5000. This value sets the rule precedence in the
ACL.