Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

1771

1720 FastIron Configuration Guide

53-1002494-02

Extended named ACL configuration

The fourth entry denies UDP packets from any source to the 209.157.22.x network, if the UDP port

number from the source network is 5 or 6 and the destination UDP port is 7 or 8.

The fifth entry permits all packets that are not explicitly denied by the other entries. Without this

entry, the ACL would deny all incoming or outgoing IP traffic on the ports to which you assign the

ACL.

The following commands apply ACL 103 to the incoming traffic on ports 2/1 and 2/2.

Extended named ACL configuration

The commands for configuring named ACL entries are different from the commands for configuring

numbered ACL entries. The command to configure a numbered ACL is access-list. The command

for configuring a named ACL is ip access-list. In addition, when you configure a numbered ACL

entry, you specify all the command parameters on the same command. When you configure a

named ACL, you specify the ACL type (standard or extended) and the ACL number with one

command, which places you in the configuration level for that ACL. Once you enter the

configuration level for the ACL, the command syntax is the same as the syntax for numbered ACLs.

Extended ACLs let you permit or deny packets based on the following information:

• IP protocol

• Source IP address or host name

• Destination IP address or host name

• Source TCP or UDP port (if the IP protocol is TCP or UDP)

• Destination TCP or UDP port (if the IP protocol is TCP or UDP)

The IP protocol can be one of the following well-known names or any IP protocol number from 0 –

255:

• Internet Control Message Protocol (ICMP)

• Internet Group Management Protocol (IGMP)

• Internet Gateway Routing Protocol (IGRP)

• Internet Protocol (IP)

• Open Shortest Path First (OSPF)

• Transmission Control Protocol (TCP)

• User Datagram Protocol (UDP)

For TCP and UDP, you also can specify a comparison operator and port name or number. For

example, you can configure a policy to block web access to a specific website by denying all TCP

port 80 (HTTP) packets from a specified source IP address to the website’s IP address.

Brocade(config)#int eth 2/1

Brocade(config-if-2/1)#ip access-group 103 in

Brocade(config-if-2/1)#exit

Brocade(config)#int eth 0/2/2

Brocade(config-if-2/2)#ip access-group 103 in

Brocade(config)#write memory