beautypg.com

Extended named acl configuration, Extended named acl syntax – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 118

background image

Extended named ACL configuration

The commands for configuring named ACL entries are different from the commands for configuring
numbered ACL entries. The command to configure a numbered ACL is access-list. The command for
configuring a named ACL is ip access-list. In addition, when you configure a numbered ACL entry,
you specify all the command parameters on the same command. When you configure a named ACL,
you specify the ACL type (standard or extended) and the ACL number with one command, which
places you in the configuration level for that ACL. Once you enter the configuration level for the ACL,
the command syntax is the same as the syntax for numbered ACLs.

Extended ACLs let you permit or deny packets based on the following information:

• IP protocol
• Source IP address or host name
• Destination IP address or host name
• Source TCP or UDP port (if the IP protocol is TCP or UDP)
• Destination TCP or UDP port (if the IP protocol is TCP or UDP)

The IP protocol can be one of the following well-known names or any IP protocol number from 0 - 255:

• Internet Control Message Protocol (ICMP)
• Internet Group Management Protocol (IGMP)
• Internet Gateway Routing Protocol (IGRP)
• Internet Protocol (IP)
• Open Shortest Path First (OSPF)
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)

For TCP and UDP, you also can specify a comparison operator and port name or number. For
example, you can configure a policy to block web access to a specific website by denying all TCP port
80 (HTTP) packets from a specified source IP address to the website’s IP address.

Extended named ACL syntax

Syntax: [no] access-list extended ACL-name { deny | permit } ip-protocol { source-ip | hostname
wildcard } [ operator [ source-tcp | udp-port ] ] | destination-ip | hostname [ icmp-num | icmp-type ]
wildcard [ tcp | udp ] comparison operator destination [ tcp | udp port ] [802.1p-priority-matching
0-7 ] [ dscp-cos-mapping ] [ dscp-marking 0-63 [ 802.1p-priority-marking 0-7... | dscp-cos-
mapping ]] [ dscp-matching 0-63 ] [ log ] [ precedence name | 0-7 ] [ tos 0-63 | name ] [ traffic-
policy name ]

Syntax: [no] ip access-group num [ in | out ]

The ACL-name parameter is the access list name. You can specify a string of up to 256 alphanumeric
characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for
example, "ACL for Net1").

The deny | permit parameter indicates whether packets that match the policy are dropped or
forwarded.

The ip-protoco parameter indicates the type of IP packet you are filtering. You can specify a well-
known name for any protocol whose number is less than 255. For other protocols, you must enter the
number. Enter "?" instead of a protocol to list the well-known names recognized by the CLI.

The source-ip | hostname parameter specifies the source IP host for the policy. If you want the policy
to match on all source addresses, enter any .

Extended named ACL configuration

118

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: