beautypg.com

Enabling acl conflict check, Enabling acl filtering of, Fragmented or non-fragmented packets – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 146: Enabling acl filtering, Of fragmented or non-fragmented packets, Numbered acls

background image

128

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Enabling ACL conflict check

3

Syntax: [no] acl-duplication-check

Enabling ACL conflict check

If desired, you can enable software checking for conflicting ACL entries. To do so, enter the
following command at the Global CONFIG level of the CLI.

Brocade(config)# acl-conflict-check

Brocade(config)# access-list 173 permit ip host 1.1.6.203 198.6.1.0 0.0.0.255

Brocade(config)# access-list 173 deny ip host 1.1.6.203 198.6.1.0 0.0.0.255

Warning: Conflicting entry in ACL 173: permit ip host 1.1.6.203 198.6.1.0

0.0.0.255

Brocade(config)# acc 174 deny ip host 1.1.6.203 198.6.1.0 0.0.0.255

Brocade(config)#

The above example generates an error message from the system as access-list 173 has a
conflicting entry. For no command, enter the following command at the Global CONFIG level of the
CLI.

Brocade(config)# no acl-conflict-check

Brocade(config)# access-list 173 permit ip host 1.1.6.201 198.6.1.0 0.0.0.255

Brocade(config)# access-list 173 deny ip host 1.1.6.201 198.6.1.0 0.0.0.255

Brocade(config)#

Syntax: [no] acl-conflict-check

NOTE

This command only checks for conflict between ACL filters that are the same except for the permit
or deny keyword.

Enabling ACL filtering of fragmented or
non-fragmented packets

To define an extended IPv4 ACL to deny or permit traffic with fragmented or unfragmented packets,
enter a command such as those shown in one of the methods below.

Numbered ACLs

Brocade(config)# access-list 111 deny ip any any fragment

Brocade(config)# int eth 1/1

Brocade(config-if-e10000-1/1)# ip access-group 111 in

Brocade(config)# write memory

The first line in the example defines ACL 111 to deny any fragmented packets. Other packets will be
denied or permitted, based on the next filter condition.

Next, after assigning the ACL to Access Group 111, the access group is bound to port 1/1. It will be
used to filter incoming traffic.

Refer to

“Extended ACL syntax”

for the complete syntax for extended ACLs.

See also other documents in the category Brocade Computer Accessories: