beautypg.com

Ip acl, Creating a standard ip or ipv6 acl – Brocade Network OS NETCONF Operations Guide v4.1.1 User Manual

Page 446

background image

414

Network OS NETCONF Operations Guide

53-1003231-02

IP ACL

28

IP ACL

The IP ACLs control access to the switch. The policies do not control the egress and outbound
management traffic initiated from the switch. The IP ACLs support both IPv4 and IPv6
simultaneously.

An IP ACL is a set of rules that are applied to the interface as a packet filtering firewall. Each rule
defines whether traffic of a combination of source and destination IP address, protocol, or port, is
to be denied or permitted.

Each ACL must have a unique name, but there is no limit to the number of ACLs to be defined. An
ACL can contain rules for only one version of IP (either IPv4 or IPv6). Only one ACL by the version of
IP can be active on the interface at a time. In other words, one ACL for IPv4 addresses and one ACL
for IPv6 address on the interface for packet filtering can be active at the same time.

For filtering the traffic, each rule of the ACL applied to the interface is checked in the ascending
order of their sequence numbers. A maximum of 2048 rules can be added to an access list. When
the ACL is applied to an interface, only the 256 lowest-numbered rules are applied. If an ACL does
not contain any rules and is applied to the interface, it becomes “no-op” and all ingress traffic is
denied through the interface. For Layer 2 ACL, if there are no rules applied to the interface then the
action is permitted through that interface. But in Layer 3 ACL or IP ACL, it is denied.

After an IP ACL rule is created, it is not possible to modify any of its options.

The default configuration of the switch consists of two ACLs: one IPv4 ACL and one IPv6 ACL is
applied to the interface.

There are two types of IP access lists:

Standard: Contains rules for only the source IP address. The rules are applicable to all ports of
that source IP address.

Extended: Contains rules for a combination of IP protocol, source IP address, destination IP
address, source port, and destination port.

Creating a standard IP or IPv6 ACL

To create an extended IP or IPv6 ACL, perform the following steps.

1. Issue the RPC to configure the or node in the

urn:brocade.com:mgmt:brocade-ip-access-list or
urn:brocade.com:mgmt:brocade-ipv6-access-list namespace, respectively.

2. Under the or node, include the or node.

3. Under the or node, include the / hierarchy of node

elements.

4. Under the node, include the leaf element and set its value to the name of

the ACL you want to create.

5. Under the node, specify a list element node for each rule that you want to

add to the access list.

6. Under each node, include the following leaf elements.

See also other documents in the category Brocade Computer Accessories: