beautypg.com

Configuring standard or extended named acls, Configuring standard or extended, Named acls – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 133

background image

Multi-Service IronWare Security Configuration Guide

115

53-1003035-02

Configuring numbered and named ACLs

3

Please note, the behavior of an implicit deny ip any any ACL filter is different than that of an explicit
deny ip any any filter as described in the following:

Explicit deny ip any any will only apply to non-option packets.

Explicit deny ip any any option ignore will apply to both option and non-option packets

Implicit deny ip any any will apply to both option and non-option packets

Configuring standard or extended named ACLs

The commands for configuring named ACL entries are different from the commands for configuring
numbered ACL entries. The command to configure a numbered ACL is access-list. The command
for configuring a named ACL is ip access-list. In addition, when you configure a numbered ACL
entry, you specify all the command parameters on the same command. When you configure a
named ACL, you specify the ACL type (standard or extended) and the ACL name with one command,
which places you in the configuration level for that ACL. Once you enter the configuration level for
the ACL, the command syntax is the same as the syntax for numbered ACLs.

The following examples show how to configure a named standard ACL entry and a named extended
ACL entry.

value

You can match based upon a specified IP Option value. Values between 1 - 255 can
be used.

keyword

You can use the any keyword to match packets with IP Options or
use the ignore keyword to match packets with or without IP Options.

NOTE

If you are configuring a filter to permit or deny rsvp or igmp packets, it will ignore IP
options within the packet by default.

name

You can match by using any of the following well-known options by name:

eol – Matches IP Option packets that contain the eol option.

extended-security – Matches IP Option packets that contain the extended security option.

loose-source-route – Matches IP Option packets that contain the loose source route
option.

no-op – Matches IP Option packets that contain the no-op option.

record-route – Matches IP Option packets that contain the record route option.

router-alert – Matches IP Option packets that contain the router alert option.

security – Matches IP Option packets that contain the security option.

streamid – Matches IP Option packets that contain the stream id option.

strict-source-route – Matches IP Option packets that contain the strict source route
option.

timestamp – Matches IP Option packets that contain the timestamp option.

See also other documents in the category Brocade Computer Accessories: