beautypg.com

Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 125

background image

The following shows the comment text for a numbered ACL, ACL 100, in a show running-config
display.

device#show running-config

...

access-list 100 remark The following line permits TCP packets

access-list 100 permit tcp 192.168.4.40/24 2.2.2.2/24

access-list 100 remark The following line permits UDP packets

access-list 100 permit udp 192.168.2.52/24 2.2.2.2/24

access-list 100 deny ip any any

Syntax: show running-config

The following example shows the comment text for an ACL in a show access-list display. The output is
identical in a show ip access-list display.

device#show access-list 100

IP access list rate-limit 100 aaaa.bbbb.cccc

Extended IP access list TCP/UDP (Total flows: N/A, Total packets: N/A)

ACL Remark: The following line permits TCP packets

permit tcp 0.0.0.40 255.255.255.0 0.0.0.2 255.255.255.0 (Flows: N/A, Packets: N/A)

ACL Remark: The following line permits UDP packets

permit udp 0.0.0.52 255.255.255.0 0.0.0.2 255.255.255.0 (Flows: N/A, Packets: N/A)

deny ip any any (Flows: N/A, Packets: N/A)

Syntax: show access-list { ACL-num | ACL-name | all }

or

Syntax: show ip access-list { ACL-num | ACL-name | all }

Applying an ACL to a virtual interface in a protocol-or subnet-based
VLAN

By default, when you apply an ACL to a virtual interface in a protocol-based or subnet-based VLAN, the
ACL takes effect on all protocol or subnet VLANs to which the untagged port belongs. To prevent the
Brocade device from denying packets on other virtual interfaces that do not have an ACL applied,
configure an ACL that permits packets in the IP subnet of the virtual interface in all protocol-based or
subnet-based VLANs to which the untagged port belongs. The following is an example configuration.

device#configure terminal

device(config)#vlan 1 name DEFAULT-VLAN by port

device(config-vlan-1)#ip-subnet 192.168.10.0 255.255.255.0

device(config-vlan-ip-subnet)#static ethe 1

device(config-vlan-ip-subnet)#router-interface ve 10

device(config-vlan-ip-subnet)#ip-subnet 10.15.1.0 255.255.255.0

device(config-vlan-ip-subnet)#static ethe 1

device(config-vlan-ip-subnet)#router-interface ve 20

device(config-vlan-ip-subnet)#logging console

device(config-vlan-ip-subnet)#exit

device(config-vlan-1)#no vlan-dynamic-discovery

Vlan dynamic discovery is disabled

device(config-vlan-1)#int e 2

device(config-if-e1000-2)#disable

device(config-if-e1000-2)#interface ve 10

device(config-vif-10)#ip address 192.168.10.254 255.255.255.0

device(config-vif-10)#int ve 20

device(config-vif-20)#ip access-group test1 in

device(config-vif-20)#ip address 10.15.1.10 255.255.255.0

device(config-vif-20)#exit

device(config)#ip access-list extended test1

device(config-ext-nACL)#permit ip 10.15.1.0 0.0.0.255 any log

device(config-ext-nACL)#permit ip 192.168.10.0 0.0.0.255 any log

device(config-ext-nACL)#end

device#

Applying an ACL to a virtual interface in a protocol-or subnet-based VLAN

FastIron Ethernet Switch Security Configuration Guide

125

53-1003088-03

See also other documents in the category Brocade Computer Accessories: