Dell PowerConnect B-RX Configuration Manual page 595
Bigiron rx series configuration guide v02.7.02
Hide thumbs
Also See for PowerConnect B-RX:
- Configuration manual (1458 pages) ,
- Getting started manual (32 pages) ,
- Installation manual (240 pages)
Table of Contents
Advertisement
General parameters for extended ACLs
The following parameters apply to any extended ACL you are creating.
<num>
deny | permit
any
log
src-mac <src-mac> <mask>
<wildcard>
dst-mac<dst-mac> |
<mask>
fragment
non-fragment
BigIron RX Series Configuration Guide
53-1001810-01
[match-all <tcp-flags>] [match-any <tcp-flags>]
[<icmp-type>] [established] [precedence <name> | <num>]
Enter 100 – 199 for a super ACL.
Enter deny if the packets that match the policy are to be dropped; permit if they are
to be forwarded.
Add this parameter to the end of an ACL statement to enable the generation of
SNMP traps and Syslog messages for packets denied by the ACL.You can enable
logging on ACLs and filters that support logging even when the ACLs and filters are
already in use. To do so, re-enter the ACL or filter command and add the log
parameter to the end of the ACL or filter. The software replaces the ACL or filter
command with the new one. The new ACL or filter, with logging enabled, takes
effect immediately.
NOTE: Logging must be enable on the interface to which the ACL is bound before
SNMP traps and Syslog messages can be generated, even if the log
parameter is entered. Refer to
Specify the source MAC host for the policy. If you want the policy to match on all
source addresses, enter any.
Specifies the portion of the source IP host address to match against. The
<wildcard> is a four-part value in dotted-decimal notation (IP address format)
consisting of ones and zeros. Zeros in the mask mean the packet's source address
must match the <source-ip>. Ones mean any value matches. For example, the
<source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts
in the Class C subnet 209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing
(CIDR) format, you can enter a forward slash after the IP address, then enter the
number of significant bits in the mask. For example, you can enter the CIDR
equivalent of "209.157.22.26 0.0.0.255" as "209.157.22.26/24". The CLI
automatically converts the CIDR number into the appropriate ACL mask (where
zeros instead of ones are the significant bits) and changes the non-significant
portion of the IP address into zeros. For example, if you specify 209.157.22.26/24
or 209.157.22.26 0.0.0.255, then save the changes to the startup-config file, the
value appears as 209.157.22.0/24 (if you have enabled display of subnet lengths)
or 209.157.22.0 0.0.0.255 in the startup-config file. The IP subnet masks in CIDR
format is saved in the file in "/<mask-bits>" format.
If you use the CIDR format, the ACL entries appear in this format in the
running-config and startup-config files, but are shown with subnet mask in the
display produced by the show access-list command.
Specify the destination MAC host for the policy. If you want the policy to match on
all destination addresses, enter any.
Enter this keyword if you want to filter fragmented packets. Refer to
filtering of fragmented or non-fragmented packets"
NOTE: The fragmented and non-fragmented parameters cannot be used together
in an ACL entry.
Enter this keyword if you want to filter non-fragmented packets. Refer to
ACL filtering of fragmented or non-fragmented packets"
NOTE: The fragmented and non-fragmented parameters cannot be used together
in an ACL entry.
Configuring numbered and named ACLs
"ACL logging"
on page 544.
on page 557.
21
"Enabling ACL
"Enabling
on page 557.
523
Advertisement
Table of Contents
