Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

1761

FastIron Configuration Guide 1709

53-1002494-02

Configuring standard numbered ACLs

• A DOS attack configuration on a port will only apply on the ingress traffic.

• Outbound ACLs cannot be configured through a RADIUS server as dynamic or user-based ACLs.

However, outbound ACLs can still be configured with MAC-AUTH/DOT1X enabled, as they the

two are configured in different directions.

• The following ACL features and options are not supported on the FastIron devices:

• Applying an ACL on a device that has Super Aggregated VLANs (SAVs) enabled.

• ACL logging of permitted packets– ACL logging is supported for packets that are sent to the

CPU for processing (denied packets) for inbound traffic. ACL logging is not supported for

packets that are processed in hardware (permitted packets).

• Flow-based ACLs

• Layer 2 ACLs

• You can apply an ACL to a port that has TCP SYN protection or ICMP smurf protection, or both,

enabled.

Configuring standard numbered ACLs

This section describes how to configure standard numbered ACLs with numeric IDs and provides

configuration examples.

Standard ACLs permit or deny packets based on source IP address. You can configure up to 99

standard numbered ACLs. There is no limit to the number of ACL entries an ACL can contain except

for the system-wide limitation. For the number of ACL entries supported on a device, refer to “ACL

IDs and entries” on page 1706.

Standard numbered ACL syntax

Syntax: [no] access-list <ACL-num> deny | permit <source-ip> | <hostname> <wildcard> [log]

Syntax: [no] access-list <ACL-num> deny | permit <source-ip>/<mask-bits> | <hostname> [log]

Syntax: [no] access-list <ACL-num> deny | permit host <source-ip> | <hostname> [log]

Syntax: [no] access-list <ACL-num> deny | permit any [log]

Syntax: [no] ip access-group <ACL-num> in | out

The <ACL-num> parameter is the access list number from 1 – 99.

The deny | permit parameter indicates whether packets that match a policy in the access list are

denied (dropped) or permitted (forwarded).

The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host

name.

NOTE

To specify the host name instead of the IP address, the host name must be configured using the

DNS resolver on the Brocade device. To configure the DNS resolver name, use the ip dns

server-address… command at the global CONFIG level of the CLI.