Configuring Extended Numbered Acls - Dell PowerConnect B-RX Configuration Manual

<wildcard>
host <source-ip> |
<hostname>
any
log
Parameters to bind standard ACLs to an interface
Use the ip access-group command to bind the ACL to an inbound interface and enter the ACL
number for <num>.

Configuring extended numbered ACLs

This section describes how to configure extended numbered ACLs.
•
•
Extended ACLs let you permit or deny packets based on the following information:
•
•
•
•
BigIron RX Series Configuration Guide
53-1002253-01
Specifies the portion of the source IP host address to match against. The <wildcard>
is a four-part value in dotted-decimal notation (IP address format) consisting of ones
and zeros. Zeros in the mask mean the packet's source address must match the
<source-ip>. Ones mean any value matches. For example, the <source-ip> and
<wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C
subnet 209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing
(CIDR) format, you can enter a forward slash after the IP address, then enter the
number of significant bits in the mask. For example, you can enter the CIDR
equivalent of "209.157.22.26 0.0.0.255" as "209.157.22.26/24". The CLI
automatically converts the CIDR number into the appropriate ACL mask (where zeros
instead of ones are the significant bits) and changes the non-significant portion of
the IP address into zeros. For example, if you specify 209.157.22.26/24 or
209.157.22.26 0.0.0.255, then save the changes to the startup-config file, the
value appears as 209.157.22.0/24 (if you have enabled display of subnet lengths)
or 209.157.22.0 0.0.0.255 in the startup-config file.
If you enable the software to display IP subnet masks in CIDR format, the mask is
saved in the file in "/<mask-bits>" format. You can use the CIDR format to configure
the ACL entry regardless of whether the software is configured to display the masks
in CIDR format.
NOTE: If you use the CIDR format, the ACL entries appear in this format in the
Specify a host IP address or name. When you use this parameter, you do not need to
specify the mask. A mask of all zeros (0.0.0.0) is implied.
Use this parameter to configure the policy to match on all host addresses.
Configures the device to generate Syslog entries and SNMP traps for packets that
are denied by the access policy. If you use the log argument, the ACL entry is sent to
the CPU for processing. Refer to
You can enable logging on ACLs that support logging even when the ACLs are already
in use. To do so, re-enter the ACL command and add the log parameter to the end of
the ACL entry. The software replaces the ACL command with the new one. The new
ACL, with logging enabled, takes effect immediately.
For configuration information on named ACLs, refer to
ACLs" on page 529.
For configuration information on standard ACLs, refer to
ACLs" on page 529.
IP protocol
Source IP address or host name
Destination IP address or host name
Source TCP or UDP port (if the IP protocol is TCP or UDP)
Configuring numbered and named ACLs
running-config and startup-config files, but are shown with subnet mask in
the display produced by the show access-list command.
"ACL logging" on page 555 for more information.
"Configuring numbered and named
"Configuring standard numbered
21
531