Brocade Communications Systems 12.4.00a Manual De Usuario
ServerIron ADX Security Guide
55
53-1002440-03
Configuring numbered and named ACLs
2
Configuring standard numbered ACLs
This section describes how to configure standard numbered ACLs with numeric IDs:
•
For configuration information on named ACLs, refer to
“Configuring standard or extended
named ACLs”
on page 62.
•
For configuration information on extended ACLs, refer to
“Configuring extended numbered
ACLs”
on page 56.
Standard ACLs permit or deny packets based on source IP address. You can configure up to 99
standard ACLs. There is no limit to the number of ACL entries an ACL can contain except for the
system-wide limitation. For the number of ACL entries supported on a device, refer to
standard ACLs. There is no limit to the number of ACL entries an ACL can contain except for the
system-wide limitation. For the number of ACL entries supported on a device, refer to
“ACL IDs and
entries”
on page 52.
To configure a standard ACL and apply it to outgoing traffic on port 1/1, enter the following
commands.
commands.
ServerIronADX(config)# access-list 1 deny host 209.157.22.26
ServerIronADX(config)# access-list 1 deny 209.157.29.12
ServerIronADX(config)# access-list 1 deny host IPHost1
ServerIronADX(config)# access-list 1 permit any
ServerIronADX(config)# int eth 1/1
ServerIronADX(config-if-1/1)# ip access-group 1 in
ServerIronADX(config)# write memory
The commands in this example configure an ACL to deny packets from three source IP addresses
from being forwarded on port 1/1. The last ACL entry in this ACL permits all packets that are not
explicitly denied by the first three ACL entries.
from being forwarded on port 1/1. The last ACL entry in this ACL permits all packets that are not
explicitly denied by the first three ACL entries.
Standard ACL syntax
Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard>
or
Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname>
Syntax: [no] access-list <num> deny | permit host <source-ip> | <hostname>
Syntax: [no] access-list <num> deny | permit any
Syntax: [no] ip access-group <num> in | out
The <num> parameter is the access list number and can be from 1 – 99.
The deny | permit parameter indicates whether packets that match a policy in the access list are
denied (dropped) or permitted (forwarded).
denied (dropped) or permitted (forwarded).
The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host
name.
name.
NOTE
To specify the host name instead of the IP address, the host name must be configured using the
Brocade device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address…
command at the global CONFIG level of the CLI.
Brocade device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address…
command at the global CONFIG level of the CLI.