Support User Manuals

Brocade Communications Systems 6650 Switch User Manual

Open as PDF

of 332

88 Brocade ICX 6650 Security Configuration Guide

53-1002601-01

Standard named ACL configuration

Standard ACLs permit or deny packets based on source IP address. You can configure up to 99

standard named ACLs. There is no limit to the number of ACL entries an ACL can contain except for

the system-wide limitation. For the number of ACL entries supported on a device, refer to “ACL IDs

and entries” on page 83.

The commands for configuring named ACL entries are different from the commands for configuring

numbered ACL entries. The command to configure a numbered ACL is access-list. The command

for configuring a named ACL is ip access-list. In addition, when you configure a numbered ACL

entry, you specify all the command parameters on the same command. When you configure a

named ACL, you specify the ACL type (standard or extended) and the ACL name with one command,

which places you in the configuration level for that ACL. Once you enter the configuration level for

the ACL, the command syntax is the same as the syntax for numbered ACLs.

Standard named ACL syntax

Syntax: [no] ip access-list standard ACL-name | ACL-num

Syntax: deny | permit source-ip | hostname wildcard [log]

or

Syntax: deny | permit source-ip/mask-bits | hostname [log]

Syntax: deny | permit host source-ip | hostname [log]

Syntax: deny | permit any [log]

Syntax: [no] ip access-group ACL-name in | out

The ACL-name parameter is the access list name. You can specify a string of up to 256

alphanumeric characters. You can use blanks in the ACL name if you enclose the name in

quotation marks (for example, “ACL for Net1”).

The ACL-num parameter allows you to specify an ACL number if you prefer. If you specify a number,

you can specify from 1–99 for standard ACLs.

NOTE

For convenience, the software allows you to configure numbered ACLs using the syntax for named

ACLs. The software also still supports the older syntax for numbered ACLs. Although the software

allows both methods for configuring numbered ACLs, numbered ACLs are always formatted in the

startup-config and running-config files in using the older syntax, as follows.

access-list 1 deny host 10.157.22.26 log

access-list 1 deny 10.157.22.0 0.0.0.255 log

access-list 1 permit any

access-list 101 deny tcp any any eq http log

The deny | permit parameter indicates whether packets that match a policy in the access list are

denied (dropped) or permitted (forwarded).

The source-ip parameter specifies the source IP address. Alternatively, you can specify the host

name.

previous next