Brocade Communications Systems 6650 Switch User Manual


 
vi Brocade ICX 6650 Security Configuration Guide
53-1002601-01
Configuring standard numbered ACLs. . . . . . . . . . . . . . . . . . . . . . . .86
Standard numbered ACL syntax . . . . . . . . . . . . . . . . . . . . . . . . .86
Configuration example for standard numbered ACLs . . . . . . . .87
Standard named ACL configuration. . . . . . . . . . . . . . . . . . . . . . . . . .87
Standard named ACL syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Configuration example for standard named ACLs. . . . . . . . . . .90
Extended numbered ACL configuration. . . . . . . . . . . . . . . . . . . . . . .90
Extended numbered ACL syntax . . . . . . . . . . . . . . . . . . . . . . . . .91
Configuration examples for extended numbered ACLs . . . . . . .95
Extended named ACL configuration. . . . . . . . . . . . . . . . . . . . . . . . . .96
Extended named ACL syntax. . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Applying egress ACLs to Control (CPU) traffic . . . . . . . . . . . . . . . . .101
Preserving user input for ACL TCP/UDP port numbers. . . . . . . . . .101
ACL comment text management . . . . . . . . . . . . . . . . . . . . . . . . . . .102
Adding a comment to an entry in a numbered ACL. . . . . . . . .102
Adding a comment to an entry in a named ACL. . . . . . . . . . . .103
Deleting a comment from an ACL entry . . . . . . . . . . . . . . . . . .103
Viewing comments in an ACL . . . . . . . . . . . . . . . . . . . . . . . . . .103
Applying an ACL to a virtual interface in a protocol-
or subnet-based VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
ACL logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Configuration notes for ACL logging . . . . . . . . . . . . . . . . . . . . .105
Configuration tasks for ACL logging . . . . . . . . . . . . . . . . . . . . .106
Example ACL logging configuration. . . . . . . . . . . . . . . . . . . . . .106
Displaying ACL Log Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . .107
Enabling strict control of ACL filtering of fragmented packets. . . .108
Enabling ACL support for switched traffic in the router image . . .109
Enabling ACL filtering based on VLAN membership or VE port
membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Configuration notes for ACL filtering. . . . . . . . . . . . . . . . . . . . .109
Applying an IPv4 ACL to specific VLAN members on
a port (Layer 2 devices only) . . . . . . . . . . . . . . . . . . . . . . . . . . .110
Applying an IPv4 ACL to a subset of ports on a virtual
interface (Layer 3 devices only) . . . . . . . . . . . . . . . . . . . . . . . .110
ACLs to filter ARP packets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111
Configuration considerations for filtering ARP packets. . . . . .112
Configuring ACLs for ARP filtering. . . . . . . . . . . . . . . . . . . . . . .112
Displaying ACL filters for ARP . . . . . . . . . . . . . . . . . . . . . . . . . .113
Clearing the filter count. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Filtering on IP precedence and ToS values . . . . . . . . . . . . . . . . . . .113
TCP flags - edge port security . . . . . . . . . . . . . . . . . . . . . . . . . .114
QoS options for IP ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Configuration notes for QoS options on Brocade ICX 6650 . .115
Using an IP ACL to mark DSCP values (DSCP marking). . . . . .115
DSCP matching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
ACL-based rate limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117