Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
Brocade ICX 6650 Security Configuration Guide
87
53-1002601-01
Standard named ACL configuration
significant bits) and changes the non-significant portion of the IP address into ones. For example, if
you specify 10.157.22.26/24 or 10.157.22.26 0.0.0.255, then save the changes to the
startup-config file, the value appears as 10.157.22.0/24 (if you have enabled display of subnet
lengths) or 10.157.22.0 0.0.0.255 in the startup-config file.
you specify 10.157.22.26/24 or 10.157.22.26 0.0.0.255, then save the changes to the
startup-config file, the value appears as 10.157.22.0/24 (if you have enabled display of subnet
lengths) or 10.157.22.0 0.0.0.255 in the startup-config file.
If you enable the software to display IP subnet masks in CIDR format, the mask is saved in the file
in “/mask-bits” format. To enable the software to display the CIDR masks, enter the ip
show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to
configure the ACL entry regardless of whether the software is configured to display the masks in
CIDR format.
in “/mask-bits” format. To enable the software to display the CIDR masks, enter the ip
show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to
configure the ACL entry regardless of whether the software is configured to display the masks in
CIDR format.
NOTE
If you use the CIDR format, the ACL entries appear in this format in the running-config and
startup-config files, but are shown with subnet mask in the display produced by the show ip
access-list command.
startup-config files, but are shown with subnet mask in the display produced by the show ip
access-list command.
The host source-ip | hostname parameter lets you specify a host IP address or name. When you
use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied.
use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied.
The any parameter configures the policy to match on all host addresses.
The log argument configures the device to generate syslog entries and SNMP traps for inbound
packets that are denied by the access policy.
packets that are denied by the access policy.
The in | out parameter applies the ACL to incoming or outgoing traffic on the interface to which you
apply the ACL. You can apply the ACL to an Ethernet port, or virtual interface.
apply the ACL. You can apply the ACL to an Ethernet port, or virtual interface.
NOTE
If the ACL is for a virtual routing interface, you also can specify a subset of ports within the VLAN
containing that interface when assigning an ACL to the interface.
If the ACL is for a virtual routing interface, you also can specify a subset of ports within the VLAN
containing that interface when assigning an ACL to the interface.
Configuration example for standard numbered ACLs
To configure a standard ACL and apply it to incoming traffic on port 1/1/1, enter the following
commands.
commands.
Brocade(config)# access-list 1 deny host 10.157.22.26 log
Brocade(config)# access-list 1 deny 10.157.29.12 log
Brocade(config)# access-list 1 deny host IPHost1 log
Brocade(config)# access-list 1 permit any
Brocade(config)# int eth 1/1/1
Brocade(config-if-e10000-1/1/1)# ip access-group 1 in
Brocade(config)# write memory
Brocade(config)# access-list 1 deny 10.157.29.12 log
Brocade(config)# access-list 1 deny host IPHost1 log
Brocade(config)# access-list 1 permit any
Brocade(config)# int eth 1/1/1
Brocade(config-if-e10000-1/1/1)# ip access-group 1 in
Brocade(config)# write memory
The commands in this example configure an ACL to deny packets from three source IP addresses
from being received on port 1/1/1. The last ACL entry in this ACL permits all packets that are not
explicitly denied by the first three ACL entries.
from being received on port 1/1/1. The last ACL entry in this ACL permits all packets that are not
explicitly denied by the first three ACL entries.
Standard named ACL configuration
This section describes how to configure standard named ACLs with alphanumeric IDs. This section
also provides configuration examples.
also provides configuration examples.