beautypg.com

Setting the output interface to the null interface – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 150

background image

device(config-routemap test-route)#set ip next-hop 192.168.2.1

device(config-routemap test-route)#exit

The following commands configure the second entry in the route map. This entry (permit 51) matches
on the IP address information in ACL 51 above. For IP traffic from subnet 209.157.24.0/24, this route
map entry sets the next-hop IP address to 192.168.2.2.

device(config)#route-map test-route permit 51

device(config-routemap test-route)#match ip address 51

device(config-routemap test-route)#set ip next-hop 192.168.2.2

device(config-routemap test-route)#exit

The following commands configure the third entry in the test-route route map. This entry (permit 52)
matches on the IP address information in ACL 52 above. For IP traffic from subnet 209.157.25.0/24,
this route map entry sets the next-hop IP address to 192.168.2.3.

device(config)#route-map test-route permit 52

device(config-routemap test-route)#match ip address 51

device(config-routemap test-route)#set ip next-hop 192.168.2.3

device(config-routemap test-route)#exit

The following command enables PBR by globally applying the test-route route map to all interfaces.

device(config)#ip policy route-map

test-route

Alternatively, you can enable PBR on specific interfaces, as shown in the following example. The
commands in this example configure IP addresses in the three source subnets identified in ACLs 50,
51, and 52, then apply route map test-route to the interface.

device(config)#interface ve 1

device(config-vif-1)#ip address 209.157.23.1/24

device(config-vif-1)#ip address 209.157.24.1/24

device(config-vif-1)#ip address 209.157.25.1/24

device(config-vif-1)#ip policy route-map test-route

Setting the output interface to the null interface

The following commands configure a PBR policy to send all traffic from 192.168.1.204/32 to the null
interface, thus dropping the traffic instead of forwarding it.

device(config)#access-list 56 permit 192.168.1.204 0.0.0.0

The following commands configure an entry in a route map called "file-13". The first entry (permit 56)
matches on the IP address information in ACL 56 above. For IP traffic from the host 192.168.1.204/32,
this route map entry sends the traffic to the null interface instead of forwarding it, thus sparing the rest
of the network the unwanted traffic.

device(config)#route-map file-13 permit 56

device(config-routemap file-13)#match ip address 56

device(config-routemap file-13)#set interface null0

device(config-routemap file-13)#exit

The following command enables PBR by globally applying the route map to all interfaces.

Brocade(config)#ip policy route-map file-13

Alternatively, you can enable PBR on specific interfaces, as shown in the following example. The
commands in this example configure IP addresses in the source subnet identified in ACL 56, then
apply route map file-13 to the interface.

device(config)#interface ethernet 3/11

device(config-if-e10000-3/11)#ip address 192.168.1.204/32

device(config-if-e10000-3/11)#ip policy route-map file-13

Setting the output interface to the null interface

150

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: