beautypg.com

Example - denying traffic between two subnets – Brocade Communications Systems RFS6000 User Manual

Page 455

background image

Brocade Mobility RFS4000, RFS6000 and RFS7000 CLI Reference Guide

453

53-1001931-01

Extended ACL config commands

14

Usage Guidelines
Use this command to deny traffic between networks/hosts based on the protocol type selected in
the access list configuration. The following protocol types are supported:

ip

icmp

tcp

udp

The last ACE in the access list is an implicit deny statement.

Whenever the interface receives the packet, its content is checked against the ACEs in the ACL. It
is allowed/denied based on the ACL configuration.

Filtering TCP/UDP allows the user to specify port numbers as filtering criteria

Select the ICMP as the protocol to allow/deny ICMP packets. Selecting icmp provides the
option of filtering icmp packets based on icmp type and code

NOTE

The log option is functional only for router ACL’s. The log option displays an informational logging
message about the packet that matches the entry sent to the console.

Example - denying traffic between two subnets

The following example denies traffic between two subnets:

deny [tcp|udp]
[|any|ho
st ] {eq
|range

}
[]{eq }
{range

} {log}
{rule-precedence
<1-5000>}

Use with the deny command to reject TCP or UDP packets

deny – Rejects TCP or UDP packets

tcp|udp – Specifies TCP or UDP as the protocol

|any|host – The source is the
source IP address of the network or host (in dotted decimal
format). The source-mask is the network mask. For example,
10.1.1.10/24 indicates the first 24 bits of the source IP are
used for matching.

any – any is an abbreviation for a source IP of 0.0.0.0, and
the source-mask bits are equal to 0

host – host is an abbreviation for exact source (A.B.C.D) and
the source-mask bits equal to 32

eq – The source port to match.
Values in the range 1 to 65535.

range
Specifies the protocol range (starting and ending protocol
numbers)

– Defines the destination
host IP address or destination network address

eq } {range
– Specifies the destination port or
range of ports. Port values are in the range of 1 to 65535.

log – Generates log messages when the packet coming from
the interface matches the ACL entry. Log messages are
generated only for router ACLs.

rule-precedence <1-5000> – Defines an integer value
between 1-5000. This value sets the rule precedence in the
ACL.

This manual is related to the following products:
See also other documents in the category Brocade Communications Systems Hardware: