beautypg.com

Configuration examples for extended numbered acls – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 116

background image

The dscp-matching option matches on the packet’s DSCP value. Enter a value from 0 - 63. This
option does not change the packet’s forwarding priority through the device or mark the packet. Refer
to

DSCP matching

on page 140.

The log parameter enables SNMP traps and Syslog messages for inbound packets denied by the
ACL:

• You can enable logging on inbound ACLs and filters that support logging even when the ACLs and

filters are already in use. To do so, re-enter the ACL or filter command and add the log parameter
to the end of the ACL or filter. The software replaces the ACL or filter command with the new one.
The new ACL or filter, with logging enabled, takes effect immediately.

The traffic-policy option enables the device to rate limit inbound traffic and to count the packets and
bytes per packet to which ACL permit or deny clauses are applied. For configuration procedures and
examples, refer to the chapter "Traffic Policies" in the FastIron Ethernet Switch Traffic Management
Guide .

Configuration example for extended named ACLs

To configure an extended named ACL, enter the ip access-list extended ACL_name command.

device(config)#ip access-list extended "block Telnet"

device(config-ext-nACL)#deny tcp host 10.157.22.26 any eq telnet log

device(config-ext-nACL)#permit ip any any

device(config-ext-nACL)#exit

device(config)#int eth 1/1

device(config-if-1/1)#ip access-group "block Telnet" in

The options at the ACL configuration level and the syntax for the ip access-group command are the
same for numbered and named ACLs and are described in

Extended numbered ACL configuration

on

page 112 and

Extended numbered ACL configuration

on page 112.

Configuration examples for extended numbered ACLs

To configure an extended access control list that blocks all Telnet traffic received on port 1/1 from IP
host 10.157.22.26, enter the following commands.

device(config)#access-list 101 deny tcp host 10.157.22.26 any eq telnet log

device(config)#access-list 101 permit ip any any

device(config)#int eth 1/1

device(config-if-e1000-1/1)#ip access-group 101 in

device(config)#write memory

Here is another example of commands for configuring an extended ACL and applying it to an
interface. These examples show many of the syntax choices. Notice that some of the entries are
configured to generate log entries while other entries are not thus configured.

device(config)#access-list 102 perm icmp 10.157.22.0/24 10.157.21.0/24

device(config)#access-list 102 deny igmp host rkwong 10.157.21.0/24 log

device(config)#access-list 102 deny igrp 10.157.21.0/24 host rkwong log

device(config)#access-list 102 deny ip host 10.157.21.100 host 10.157.22.1 log

device(config)#access-list 102 deny ospf any any log

device(config)#access-list 102 permit ip any any

The first entry permits ICMP traffic from hosts in the 10.157.22.x network to hosts in the 10.157.21.x
network.

Rule-Based IP ACLs

116

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: