beautypg.com

Creating an extended ip acl, Applying an ip acl to a management interface – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

Page 469

background image

Creating an extended IP ACL

To create an extended IP ACL, perform the following steps in global configuration mode.

1. Use the ip access-list extended command to enter the configuration mode.

switch(config)# ip access-list extended extdACL5

2. Use the seq command to enter the rules for the ACL. You can enter multiple rules.

switch(config-ip-ext)# seq 5 deny tcp host 10.24.26.145 any eq 23

switch(config-ip-ext)# seq 7 deny tcp any any eq 80

switch(config-ip-ext)# seq 10 deny udp any any range 10 25

switch(config-ip-ext)# seq 15 permit tcp any any

3. Use the exit command to return to global configuration mode. Your changes are automatically saved.

switch(config-ip-ext)# exit

Applying an IP ACL to a management interface

To apply the IP ACLs, perform the following steps in global configuration mode.

1. Use the interface command to enter the configuration mode for the management interface.

switch(config)# interface Management 3/1

2. Use the ip access-group command to apply the IPv4 standard ACL.

switch(config-Management-3/1)# ip access-group stdACL3 in

3. Use the ip access-group command to apply the IPv6 standard ACL.

switch(config-Management-3/1)# ipv6 access-group stdV6ACL1 in

4. Use the ip access-group command to apply the IPv4 extended ACL.

switch(config-Management-3/1)# ip access-group extdACL5 in

5. Use the exit command to return to global configuration mode. Your changes are automatically saved.

switch(config-Management-3/1)# exit b

NOTE
Applying a permit or deny UDP ACL to the management interface enacts an implicit deny for TCP
and vice versa.

Binding an ACL in standalone mode or fabric cluster mode

In standalone or fabric cluster mode, an ACL can be applied to any node present in the cluster by
specifying its RBridge ID. One ACL per IPv4 and one ACL per IPv6 can be applied to the management
interface. Applying a new ACL replaces the ACL that was previously applied. The no command form
removes an ACL from the interface. Removing the active ACL results in default behavior of "permit
any."

You can bind an IP ACL in the ingress direction for the management interface, and you are not required
to create an ACL before binding it to the management interface.

On a management interface, the default action of "permit any" is inserted at the end of an ACL that has
been bound.

To bind an ACL to a management interface, perform the following steps from privileged EXEC mode.

1. Enter the configure terminal command to access global configuration mode.

switch# configure terminal

2. Enter interface management followed by the rbridge-id/port, the IP version, the access-group name

for the ACL you want to bind, and the binding direction (ingress or egress).

switch(config)# interface management 1/0

switch(config-Management-1/0)# ip access-group stdACL3 in

switch(config-Management-1/0)# ipv6 access-group stdV6ACL1 in

switch(config-Management-1/0)# exit

Creating an extended IP ACL

Network OS Administrator’s Guide

469

53-1003225-04

See also other documents in the category Brocade Computer Accessories: