beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 125

background image

Multi-Service IronWare Security Configuration Guide

107

53-1003035-02

Configuring numbered and named ACLs

3

The fifth entry permits all packets that are not explicitly denied by the other entries. Without this
entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the
ACL.

The following commands apply ACL 103 to the incoming and outgoing traffic on ports 2/1 and 2/2.

The following example shows how sequence numbers are assigned to ACL entries. This example
configures filter rules for the extended numbered IPv4 ACL “100”.

Brocade(config)# access-list 100 permit udp any any

Brocade(config)# access-list 100 sequence 11 permit tcp any any

Brocade(config)# access-list 100 permit icmp any any

The first entry in this example permits all UDP traffic. As this is the first entry in the ACL table and a
sequence number is not specified, the system assigns the default sequence number “10”. The
second entry, which specifies the sequence number “11”, permits all TCP traffic. The third entry
permits all ICMP traffic. Again, the sequence number is not specified and the system assigns the
default sequence number “21” (10+ the sequence number of the last ACL filter rule provisioned in
the table) to this entry. The output from the show access-list command for the ACL table is:

10: access-list 100 permit udp any any

11: access-list 100 sequence 11 permit tcp any any

21: access-list 100 permit icmp any any

And the output from the show running-config command is:

access-list 100 permit udp any any

access-list 100 sequence 11 per tcp any any

access-list 100 permit icmp any any

The show access-list or show running-config commands only display user-configured sequence
numbers. In these examples, the display of “sequence 11” after the access list number indicates a
user-configured sequence number for the ACL entry. When the ACL entry sequence number is
system-generated it is not displayed.

To insert more rules between adjacent sequence numbers “10” and “11”, you need to re-sequence
the ACL table first. The regenerate-seq-num command generates new sequence numbers for ACL
table entries creating space between the sequence numbers of adjacent filters. To re-sequence the
ACL table “100”, enter the following command.

Brocade(config)# access-list 100 regenerate-seq-num

This command resequences entries in the ACL table in steps of 10 so that the output from the
show access-list command is:

10: access-list 100 permit udp any any

20: access-list 100 sequence 20 permit tcp any any

30: access-list 100 permit icmp any any

And the output from the show running-config command is:

access-list 100 permit udp any any

access-list 100 sequence 20 per tcp any any

Brocade(config)# int eth 2/1

Brocade(config-if-e10000-2/1)# ip access-group 103 in

Brocade(config-if-e10000-2/1)# ip access-group 103 out

Brocade(config-if-e10000-2/1)# exit

Brocade(config)# int eth 2/2

Brocade(config-if-e10000-2/2)# ip access-group 103 in

Brocade(config-if-e10000-2/2)# ip access-group 103 out

Brocade(config)# write memory

See also other documents in the category Brocade Computer Accessories: