Creating an extended ip or ipv6 acl – Brocade Network OS NETCONF Operations Guide v4.1.1 User Manual

416

Network OS NETCONF Operations Guide

53-1003231-02

IP ACL

28

Creating an extended IP or IPv6 ACL

To create an extended IP ACL, perform the following steps.

1. Issue the RPC to configure the or node in the

urn:brocade.com:mgmt:brocade-ip-access-list or
urn:brocade.com:mgmt:brocade-ipv6-access-list namespace, respectively.

2. Under the or node, include the or node element.

3. Under the or node, include the / hierarchy of node

elements.

4. Under the node, include the leaf element and set its value to the name of

the ACL you want to configure.

5. Under the element, specify a list element node for each rule you want to

add to the access list.

6. Under each node, include the following leaf elements.

a. In the element, set a sequence number for the rule to identify the rule and

determine the sequence in which rules are applied (lowest first).

b. In the element, specify “deny” to create a rule in the IP ACL to drop traffic when

the rule conditions are met, “permit” to create a rule in the IP ACL to permit traffic, or
“hard-drop” to create a rule in the IP ACL to force drop traffic.

c. Additional elements that specify the source and destination switch or source and

destination ports for which traffic is permitted or denied.

For a complete list of node leaf elements, refer to the brocade-ip-access-list.yang file or
the brocade-ipv6-access-list.yang file.

The following example creates an extended IP ACL named extdACL5 that includes the following
rules:

•

Rule 5 denies TCP traffic from host 10.24.26.145 or bound for port 23 on any destination host.

•

Rule 7 denies TCP traffic from any source host on port 80 of any destination port.

•

Rule 10 denies UDP traffic from any source host to ports in the range 10 through 25 on any
destination host.

extdACL5

5

deny

tcp

host

10.24.26.145

any