Manualshelf

Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesBigIron RX Series
691692693694695696697698699700
614 BigIron RX Series Configuration Guide
53-1002484-04
Configuring numbered and named ACLs
22
Super ACL syntax
Syntax: [no] access-list <num> deny | permit |
any |
log |
src-mac <src-mac> <mask> |
dst-mac <dst-mac> <mask> |
vlan-id <vlan-id> |
ip-pkt-len <pkt-len> |
ip-fragment-match {[fragment [fragment-offset <0 - 8191>]] | [non-fragment] |
[first-fragment]} |
ip-protocol <ip-protocol> |
sip {<source-ip>/<source-ip-mask-len> | host <hostname>} |
dip {<destination-ip>/<destination-ip-len> | host <hostname>} |
sp <operator> <source-tcp/udp-port> |
dp <operator> <destination-tcp/udp-port> |
icmp-detail <icmp-type-code> |
dscp-matching <0 – 63> |
802.1p-priority-matching <0 - 7> |
ipsec-spi <00000000 - ffffffff> |
qos-marking {[dscp <
0 - 63> 802.1p-priority-marking <0 - 7> internal-priority-marking <0 -
7>] |
[dscp <0 - 63> dscp-cos-mapping] | [use-packet-dscp dscp-cos-mapping]} | tcp-flags
{[match-all <tcp flags>] | [match-any <tcp flags>] | [established]} |
<tcp flags> = [{+|-}urg] [{+|-}ack] [{+|-}psh] [{+|-}rst] [{+|-}syn] [{+|-}fin]
<icmp-type-code> = <type> <code> | <well-known type/code>
Most of the keywords in this syntax are self-explanatory, and work the same way as the keywords
IPv4 and MAC ACLs. The QoS options are also similar to those in the IPv4 ACL, however, in super
ACL the three QoS marking modes are grouped under the keyword qos-marking to simplify the
syntax.
General parameters for super ACLs
The following parameters apply to super ACLs:
num The ACL ID. Enter 500 – 599 for super ACLs.
deny | permit Enter deny if the packets that match the policy are to be dropped; permit if they are
to be forwarded.
any Matches any packet
log Enables logging for denied packets. ACL logging is disabled by default; it must be
explicitly enabled on a port.
NOTE: Logging is not currently supported on management interfaces.
src-mac Specifies the source MAC address for the policy. Alternatively, you can specify the
host name. If you want the policy to match on all source addresses, enter any.
dst-mac Specifies the destination MAC address for the policy. Alternatively, you can specify
the host name. If you want the policy to match on all destination addresses, enter
any.
NOTE: To specify the host name instead of the IP address, the host name must be configured using the ip dns
server-address… command at the global CONFIG level of the CLI.
vlan-id Specifies the VLAN id