beautypg.com

Configuration example for standard named acls – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 111

background image

NOTE
If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-
config files, but are shown with subnet mask in the display produced by the show ip access-list
command.

The host source-ip | hostname parameter lets you specify a host IP address or name. When you use
this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied.

The any parameter configures the policy to match on all host addresses.

The log argument configures the device to generate Syslog entries and SNMP traps for inbound
packets that are denied by the access policy.

NOTE
You can enable logging on inbound ACLs and filters that support logging even when the ACLs and
filters are already in use. To do so, re-enter the ACL or filter command and add the log parameter to the
end of the ACL or filter. The software replaces the ACL or filter command with the new one. The new
ACL or filter, with logging enabled, takes effect immediately.

The in | out parameter applies the ACL to incoming or outgoing traffic on the interface to which you
apply the ACL. You can apply the ACL to an Ethernet port or virtual interface.

NOTE
If the ACL is bound to a virtual routing interface, you also can specify a subset of ports within the VLAN
containing that interface when assigning an ACL to the interface. See

Enabling ACL filtering based on

VLAN membership or VE port membership

on page 130 for further details.

Configuration example for standard named ACLs

To configure a standard named ACL, enter commands such as the following.

device(config)#ip access-list standard Net1

device(config-std-nACL)#deny host 10.157.22.26 log

device(config-std-nACL)#deny 10.157.29.12 log

device(config-std-nACL)#deny host IPHost1 log

device(config-std-nACL)#permit any

device(config-std-nACL)#exit

device(config)#int eth 1/1

device(config-if-e1000-1/1)#ip access-group Net1 in

The commands in this example configure a standard ACL named "Net1". The entries in this ACL deny
packets from three source IP addresses from being forwarded on port 1. Since the implicit action for an
ACL is "deny", the last ACL entry in this ACL permits all packets that are not explicitly denied by the first
three ACL entries. For an example of how to configure the same entries in a numbered ACL, refer to

Configuring standard numbered ACLs

on page 107.

Notice that the command prompt changes after you enter the ACL type and name. The "std" in the
command prompt indicates that you are configuring entries for a standard ACL. For an extended ACL,
this part of the command prompt is "ext". The "nACL" indicates that you are configuring a named ACL.

Configuration example for standard named ACLs

FastIron Ethernet Switch Security Configuration Guide

111

53-1003088-03

See also other documents in the category Brocade Computer Accessories: