Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Syntax: [no] ip access-list standard {ACL-name |ACL-num } { deny | permit } { source-ip |
hostname } [ log ]

Syntax: [no] ip access-list standard {ACL-name |ACL-num } { { deny | permit } any [ log ]

Syntax: [no] ip access-group ACL-name [ in | out ]

The ACL-name parameter is the access list name. You can specify a string of up to 256 alphanumeric
characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for
example, "ACL for Net1").

The ACL-num parameter allows you to specify an ACL number if you prefer. If you specify a number,
you can specify from 1 - 99 for standard ACLs.

NOTE
For convenience, the software allows you to configure numbered ACLs using the syntax for named
ACLs. The software also still supports the older syntax for numbered ACLs. Although the software
allows both methods for configuring numbered ACLs, numbered ACLs are always formatted in the
startup-config and running-config files in using the older syntax, as follows. access-list 1 deny
host 10.157.22.26 logaccess-list 1 deny 10.157.22.0 0.0.0.255 logaccess-
list 1 permit any access-list 101 deny tcp any any eq http log

The deny | permit parameter indicates whether packets that match a policy in the access list are
denied (dropped) or permitted (forwarded).

The source-ip parameter specifies the source IP address. Alternatively, you can specify the host
name.

NOTE
To specify the host name instead of the IP address, the host name must be configured using the DNS
resolver on the Brocade device. To configure the DNS resolver name, use the ip dns server-
address ... command at the global CONFIG level of the CLI.

The wildcard parameter specifies the mask value to compare against the host address specified by the
source-ip parameter. The wildcard is in dotted-decimal notation (IP address format). It is a four-part
value, where each part is 8 bits (one byte) separated by dots, and each bit is a one or a zero. Each
part is a number ranging from 0 to 255, for example 0.0.0.255. Zeros in the mask mean the packet
source address must match the source-ip . Ones mean any value matches. For example, the source-
ip and wildcard values 10.157.22.26 0.0.0.255 mean that all hosts in the Class C subnet 10.157.22.x
match the policy.

If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after
the IP address, then enter the number of significant bits in the mask. For example, you can enter the
CIDR equivalent of "10.157.22.26 0.0.0.255" as "10.157.22.26/24". The CLI automatically converts the
CIDR number into the appropriate ACL mask (where zeros instead of ones are the significant bits) and
changes the non-significant portion of the IP address into ones. For example, if you specify
10.157.22.26/24 or 10.157.22.26 0.0.0.255, then save the changes to the startup-config file, the value
appears as 10.157.22.0/24 (if you have enabled display of subnet lengths) or 10.157.22.0 0.0.0.255 in
the startup-config file.

If you enable the software to display IP subnet masks in CIDR format, the mask is saved in the file in "/
mask-bits " format. To enable the software to display the CIDR masks, enter the ip show-subnet-
length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the
ACL entry regardless of whether the software is configured to display the masks in CIDR format.

Rule-Based IP ACLs

110

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03