beautypg.com

Configuring extended numbered acls, Configuring extended numbered, Acls – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 41

background image

Brocade Virtual ADX Security Guide

29

53-1003250-01

Configuring numbered and named ACLs

2

The host source-ip | hostname parameter lets you specify a host IP address or name. When you
use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied.

The any parameter configures the policy to match on all host addresses.

The in parameter specifies whether the ACL applies to incoming traffic on the interface to which
you apply the ACL. You can apply the ACL to an Ethernet port. Note that the out parameter is not
supported in any ACL mode.

Configuring extended numbered ACLs

This section describes how to configure extended numbered ACLs:

For configuration information on named ACLs, refer to

“Configuring numbered and named

ACLs”

on page 27.

For configuration information on standard ACLs, refer to

“Configuring standard numbered

ACLs”

on page 27.

Extended ACLs let you permit or deny packets based on the following information:

IP protocol:

Source IP address or host name

Destination IP address or host name

Source TCP or UDP port (if the IP protocol is TCP or UDP)

Destination TCP or UDP port (if the IP protocol is TCP or UDP)

The IP protocol can be one of the following well-known names or any IP protocol number from 0 –
255:

Internet Control Message Protocol (ICMP)

Internet Group Management Protocol (IGMP)

Internet Gateway Routing Protocol (IGRP)

Internet Protocol (IP)

Open Shortest Path First (OSPF)

Transmission Control Protocol (TCP)

User Datagram Protocol (UDP)

For TCP and UDP, you also can specify a comparison operator and port name or number. For
example, you can configure a policy to block web access to a specific website by denying all TCP
port 80 (HTTP) packets from a specified source IP address to the website IP address.

To configure an extended access list that blocks all Telnet traffic received on port 1/1 from IP host
10.157.22.26, enter the following commands.

Here is another example of commands for configuring an extended ACL and applying it to an
interface. These examples show many of the syntax choices.

Virtual ADX (config)#access-list 101 deny tcp host 10.157.22.26 any eq telnet log

Virtual ADX (config)#access-list 101 permit ip any any

Virtual ADX (config)#int eth 1/1

Virtual ADX (config-if-1/1)#ip access-group 101 in

Virtual ADX (config)#write memory

See also other documents in the category Brocade Computer Accessories: