Modifying acls – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual
Page 139
Multi-Service IronWare Security Configuration Guide
121
53-1003035-02
Modifying ACLs
3
Modifying ACLs
When you configure any ACL, a sequence number is assigned to each ACL entry. If you do not
specify the sequence number, the software assigns a sequence number to each entry. The default
value is 10+ the sequence number of the last ACL entry provisioned in the ACL table. Therefore,
when you do not specify a sequence number, the rule is added to the end of the ACL table. The
default value for the first entry in an IPv4 ACL table is “10”. The software always applies the ACL
entries to traffic in the order of lowest to highest sequence number. The following example
configures two entries for ACL “1”.
Brocade(config)#access-list 1 deny 10.157.22.0/24
Brocade(config)#access-list 1 permit 10.157.22.26
The system assigns the sequence number “10” to the first entry and “20” to the second entry so
that the output from the show access-list command will be:
10: access-list 1 deny 10.157.22.0/24
20: access-list 1 permit 10.157.22.26
Thus, if a packet matches the first ACL entry in this ACL and is therefore denied, the software does
not compare the packet to the remaining ACL entries. In this example, packets from host
10.157.22.26 will always be dropped, even though packets from this host match the second entry.
By specifying the ACL entry sequence number you can insert the entry at any position that you want
in an ACL table. For example, enter the following command:
Brocade(config)#access-list 1 sequence 15 permit 10.157.22.24
The output from the show access-list command is now:
10: access-list 1 deny 10.157.22.0/24
15: access-list 1 sequence 15 permit 10.157.22.24
20: access-list 1 permit 10.157.22.26
NOTE
Modifications done in the ACL, will be effective in the hardware only after the execution of an explicit
rebind command. For more information, refer to
There is an alternative method for modifying ACLs on a Brocade device. The alternative method lets
you upload an ACL list from a TFTP server and replace the ACLs in the Brocade device’s
running-config file with the uploaded list. Thus, to change an ACL, you can edit the ACL on the file
server, then upload the edited ACL to the Brocade device. You then can save the changed ACL to
the Brocade device’s startup-config file.
ACL lists contain only the ACL entries themselves, not the assignments of ACLs to interfaces. You
must assign the ACLs on the Brocade device itself.
NOTE
The only commands that are valid in the ACL list are the access-list and end commands; other
commands are ignored.