beautypg.com

Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 117

background image

The second entry denies IGMP traffic from the host device named "rkwong" to the 10.157.21.x network.

The third entry denies IGMP traffic from the 10.157.21.x network to the host device named "rkwong".

The fourth entry denies all IP traffic from host 10.157.21.100 to host 10.157.22.1 and generates Syslog
entries for packets that are denied by this entry.

The fifth entry denies all OSPF traffic and generates Syslog entries for denied traffic.

The sixth entry permits all packets that are not explicitly denied by the other entries. Without this entry,
the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL.

The following commands apply ACL 102 to the incoming traffic on port 1/2 and to the incoming traffic on
port 4/3.

device(config)#int eth 1/2

device(config-if-1/2)#ip access-group 102 in

device(config-if-1/2)#exit

device(config)#int eth 4/3

device(config-if-4/3)#ip access-group 102 in

device(config)#write memory

Here is another example of an extended ACL.

device(config)#access-list 103 deny tcp 10.157.21.0/24 10.157.22.0/24

device(config)#access-list 103 deny tcp 10.157.21.0/24 eq ftp 10.157.22.0/24

device(config)#access-list 103 deny tcp 10.157.21.0/24 10.157.22.0/24 lt

telnet neq 5

device(config)#access-list 103 deny udp any range 5 6 10.157.22.0/24 range 7 8

device(config)#access-list 103 permit ip any any

The first entry in this ACL denies TCP traffic from the 10.157.21.x network to the 10.157.22.x network.

The second entry denies all FTP traffic from the 10.157.21.x network to the 10.157.22.x network.

The third entry denies TCP traffic from the 10.157.21.x network to the 10.157.22.x network, if the TCP
port number of the traffic is less than the well-known TCP port number for Telnet (23), and if the TCP
port is not equal to 5. Thus, TCP packets whose TCP port numbers are 5 or are greater than 23 are
allowed.

The fourth entry denies UDP packets from any source to the 10.157.22.x network, if the UDP port
number from the source network is 5 or 6 and the destination UDP port is 7 or 8.

The fifth entry permits all packets that are not explicitly denied by the other entries. Without this entry,
the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the ACL.

The following commands apply ACL 103 to the incoming traffic on ports 2/1 and 2/2.

device(config)#int eth 2/1

device(config-if-2/1)#ip access-group 103 in

device(config-if-2/1)#exit

device(config)#int eth 0/2/2

device(config-if-2/2)#ip access-group 103 in

device(config)#write memory

Rule-Based IP ACLs

FastIron Ethernet Switch Security Configuration Guide

117

53-1003088-03

See also other documents in the category Brocade Computer Accessories: