Brocade Mobility RFS7000-GR Controller CLI Reference Guide (Supporting software release 4.1.0.0-040GR and later) User Manual

356

Brocade Mobility RFS7000-GR CLI Reference Guide

53-1001945-01

Extended ACL Config Commands

14

Whenever the interface receives the packet, its content is checked against the ACE’s in the ACL. It
is allowed/denied based on the ACL configuration.

•

Filtering on protocol types tcp/udp allows the user to specify port numbers as filtering criteria.

•

Select icmp to allow/deny icmp packets. Selecting icmp provides the option of filtering icmp
packets based on icmp type and code.

NOTE

The log option is functional only for router ACL’s. The log option displays an informational logging
message for the packet that matches the entry sent to the console.

Example
The following example denies traffic between two subnets:

RFS7000(config-ext-nacl)#deny ip 192.168.2.0/24 192.168.1.0/24

RFS7000(config-ext-nacl)#permit ip any any

RFS7000(config-ext-nacl)#

The following example denies tcp traffic with source port range between 20 - 23 from the source
subnet to destination sub net:

RFS7000(config-ext-nacl)#deny tcp 192.168.1.0/24 192.168.2.0/24 range 20 23

RFS7000(config-ext-nacl)#permit ip any any

RFS7000(config-ext-nacl)#

The following example denies udp traffic with a source port range between 20 - 23 from the source
subnet to destination sub net.

RFS7000(config-ext-nacl)#deny udp 192.168.1.0/24 192.168.2.0/24 range 20 23

RFS7000(config-ext-nacl)#permit ip any any

RFS7000(config-ext-nacl)#

The following example denies icmp traffic from any source to any destination. The keyword any is
used to match any source or destination IP address.

RFS7000(config-ext-nacl)#deny icmp any any

RFS7000(config-ext-nacl)#permit ip any any

RFS7000(config-ext-nacl)#