Brocade Mobility RFS Controller CLI Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

Page 908

896

Brocade Mobility RFS Controller CLI Reference Guide

53-1003098-01

deny ip [||any|from-vlan |

host ] [||any|host

] (log,rule-precedence <1-5000>) {(rule-description )}

from-vlan

Specifies a single VLAN or a range of VLANs as the match criteria. ICMP packets received from the VLANs
identified here are dropped.

•

– Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs
separated by a hyphen (for example, 12-20).

Use this option with WLANs and port ACLs.

host

Identifies a specific host (as the source to match) by its IP address. ICMP packets received from the specified
host are dropped.

•

– Specify the source host’s exact IP address in the A.B.C.D format.

Specifies the destination IP address and mask (A.B.C.D/M) to match. ICMP packets addressed to specified
destinations are dropped.

S-NAME>

Applies a network-group alias to identify the destination IP addresses. ICMP packets destined for addresses
identified by the network-group alias are dropped.

•

– Specify the network-group alias name (should be existing and
configured).

any

Specifies the destination as any IP address. ICMP packets addressed to any destination are dropped.

host

Identifies a specific host (as the destination to match) by its IP address. ICMP packets addressed to the
specified host are dropped.

•

– Specify the destination host’s exact IP address in the A.B.C.D format.

Defines the ICMP packet type
For example, an ICMP type 0 indicates it is an ECHO REPLY, and type 8 indicates it is an ECHO.

Defines the ICMP message type
For example, an ICMP code 3 indicates “Destination Unreachable”, code 1 indicates “Host Unreachable”, and
code 3 indicates “Port Unreachable.”
After specifying the source and destination IP address(es), the ICMP message type, and the ICMP code,
specify the action taken in case of a match.

log

Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a ICMP
packet is received from a specified IP address and/or is destined for a specified IP address), an event is
logged.

rule-precedence
<1-5000>
rule-description

The following keywords are recursive and common to all of the above parameters:

•

rule-precedence – Assigns a precedence for this deny rule

•

<1-5000> – Specify a value from 1 - 5000.

•

rule-description – Optional. Configures a description for this deny rule. Provide a description that

uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

Applies this deny rule to IP packets only

Specifies the source IP address and mask (A.B.C.D/M) to match. IP packets received from the specified
networks are dropped.

S-NAME>

Applies a network-group alias to identify the source IP addresses. IP packets received from the addresses
identified by the network-group alias are dropped.

•

– Specify the network-group alias name (should be existing and
configured).

any

Specifies the source as any IP address. IP packets received from any source are dropped.

from-vlan

Specifies a single VLAN or a range of VLANs as the match criteria. IP packets received from the specified
VLANs are dropped.

•

– Specify the VLAN ID. To configure a range of VLAN IDs, enter the start and end VLAN IDs
separated by a hyphen (for example, 12-20).

Use this option with WLANs and port ACLs.