beautypg.com

Creating a numbered layer-2 acl table – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 95

background image

Multi-Service IronWare Security Configuration Guide

77

53-1003035-02

Creating a numbered Layer-2 ACL table

2

Creating a numbered Layer-2 ACL table

You create a numbered Layer-2 ACL table by defining a Layer-2 ACL clause.

To create a numbered Layer-2 ACL table, enter commands (clauses) such as the following at the
Global CONFIG level of the CLI. Note that you can add additional clauses to the ACL table at any
time by entering the command with the same table ID and different MAC parameters.

Brocade(config)# access-list 400 deny any any any etype arp

Brocade(config)# access-list 400 deny any any any etype ipv6

Brocade(config)# access-list 400 permit any any 100

This configuration creates a Layer-2 ACL with an ID of 400. When applied to an interface, this
Layer-2 ACL table will deny all ARP and IPv6 traffic, and permit all other traffic in VLAN 100.

Brocade(config)# access-list 1399 permit any any 100 etype any dscp-marking 54

Warning: this ACL will have unexpected results on non-IP packets. Make sure the

traffic on the interfaces are IP packets.

This configuration creates a Layer-2 ACL with an ID of 1399 and matches VLAN 100 and mark
DSCP to 54.

NOTE

A warning message is displayed, if the incoming packet is a non-IP packet and without an L3 header.
The warning message is displayed in the above configuration example.

For more examples of valid Layer-2 ACL clauses, see

“Filtering and priority manipulation based on

802.1p priority”

.

The ACL functionality for filtering traffic is enhanced with sequence numbers that enable users to 
insert, modify or delete rules at any position, without having to remove and reapply the entire ACL. A
sequence number is assigned to each ACL entry and ACL rules are applied in the order of lowest to
highest sequence number. Therefore, you can insert a new filter rule at any position you want in the
ACL table by specifying the sequence number. If you do not specify a sequence number, then the
system automatically generates a sequence number and is applied to each ACL entry. The
sequence number generated by the system is the Smallest number divisible by 10 which is greater
than the sequence number of the last ACL entry provisioned in the ACL table. Therefore, when you
do not specify a sequence number, the rule is added to the end of the ACL table. The default
sequence number assigned to the first ACL entry in the ACL table is “10”.

The following example explains how the system generated sequence number is assigned, when you
do not specify a sequence number.

Brocade(config)#access-list 101 deny deny any any any etype arp

Brocade(config)#access-list 101 sequence 12 permit 0000.1111.1111 ffff.ffff.ffff

any any 12 etype any

Brocade(config)#access-list 101 permit 0000.1111.1111 ffff.ffff.ffff any any

etype any

Brocade(config)#access-list 101 deny any any any etype ipv4

Brocade(config)#access-list 101 sequence 37 permit 0000.1111.1111 ffff.ffff.ffff

any any 37 etype any

Brocade(config)#access-list 101 deny any any any etype ipv6

See also other documents in the category Brocade Computer Accessories: