Configuration Guide User guide
FastIron Configuration Guide 1725
53-1002494-02
Applying egress ACLs to Control (CPU) traffic
• You can enable logging on inbound ACLs and filters that support logging even when the ACLs
and filters are already in use. To do so, re-enter the ACL or filter command and add the log
parameter to the end of the ACL or filter. The software replaces the ACL or filter command with
the new one. The new ACL or filter, with logging enabled, takes effect immediately.
The traffic-policy option enables the device to rate limit inbound traffic and to count the packets
and bytes per packet to which ACL permit or deny clauses are applied. For configuration
procedures and examples, refer to the chapter “Traffic Policies” on page 1773.
Configuration example for extended named ACLs
To configure an extended named ACL, enter the ip access-list extended <ACL_name> command.
The options at the ACL configuration level and the syntax for the ip access-group command are the
same for numbered and named ACLs and are described in “Extended numbered ACL
configuration” on page 1714 and “Extended numbered ACL configuration” on page 1714.
Applying egress ACLs to Control (CPU) traffic
By default, outbound ACLs are not applied to traffic generated by the CPU. This must be enabled
using the enable egress-acl-on-control-traffic command.
Syntax: enable egress-acl-on-control-traffic
Preserving user input for ACL TCP/UDP port numbers
ACL implementations automatically display the TCP/UDP port name instead of the port number,
regardless of user preference, unless the device is configured to preserve user input. When the
option to preserve user input is enabled, the system will display either the port name or the
number.
To enable this feature, enter the ip preserve-ACL-user-input-format command.
Brocade(config)#ip preserve-ACL-user-input-format
Syntax: ip preserve-ACL-user-input-format
The following example shows how this feature works for a TCP port (this feature works the same
way for UDP ports). In this example, the user identifies the TCP port by number (80) when
configuring ACL group 140. However, show ip access-list 140 reverts back to the port name for the
TCP port (http in this example). After the user issues the new ip preserve-ACL-user-input-format
command, show ip access-list 140 displays either the TCP port number or name, depending on
how it was configured by the user.
Brocade(config)#ip access-list extended “block Telnet”
Brocade(config-ext-nACL)#deny tcp host 209.157.22.26 any eq telnet log
Brocade(config-ext-nACL)#permit ip any any
Brocade(config-ext-nACL)#exit
Brocade(config)#int eth 1/1
Brocade(config-if-1/1)#ip access-group “block Telnet” in