Rule-Based IP Access Control Lists (ACLs)
December 2005 © Foundry Networks, Inc. 12 - 5
Standard Numbered ACL Syntax
Syntax: [no] access-list <acl-num> deny | permit <source-ip> | <hostname> <wildcard> [log]
or
Syntax: [no] access-list <acl-num> deny | permit <source-ip>/<mask-bits> | <hostname> [log]
Syntax: [no] access-list <acl-num> deny | permit host <source-ip> | <hostname> [log]
Syntax: [no] access-list <acl-num> deny | permit any [log]
Syntax: [no] ip access-group <acl-num> in
The <acl-num> parameter is the access list number from 1 – 99.
The deny | permit parameter indicates whether packets that match a policy in the access list are denied
(dropped) or permitted (forwarded).
The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host name.
NOTE: To specify the host name instead of the IP address, the host name must be configured using the Foundry
device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address… command at the
global CONFIG level of the CLI.
The <wildcard> parameter specifies the mask value to compare against the host address specified by the
<source-ip> parameter. The <wildcard> is a four-part value in dotted-decimal notation (IP address format)
consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>.
Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255
mean that all hosts in the Class C subnet 209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after the IP
address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of
“209.157.22.26 0.0.0.255” as “209.157.22.26/24”. The CLI automatically converts the CIDR number into the
appropriate ACL mask (where zeros instead of ones are the significant bits) and changes the non-significant
portion of the IP address into ones. For example, if you specify 209.157.22.26/24 or 209.157.22.26 0.0.0.255,
then save the changes to the startup-config file, the value appears as 209.157.22.0/24 (if you have enabled
display of subnet lengths) or 209.157.22.0 0.0.0.255 in the startup-config file.
If you enable the software to display IP subnet masks in CIDR format, the mask is saved in the file in
“/<mask-bits>” format. To enable the software to display the CIDR masks, enter the ip show-subnet-length
command at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry
regardless of whether the software is configured to display the masks in CIDR format.
NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config
files, but are shown with subnet mask in the display produced by the show ip access-list command.
The host <source-ip> | <hostname> parameter lets you specify a host IP address or name. When you use this
parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied.
The any parameter configures the policy to match on all host addresses.
The log argument configures the device to generate Syslog entries and SNMP traps for packets that are permitted
or denied by the access policy. If you use the log argument, the ACL entry is sent to the CPU for processing.
NOTE: You can enable logging on ACLs and filters that support logging even when the ACLs and filters are
already in use. To do so, re-enter the ACL or filter command and add the log parameter to the end of the ACL or
filter. The software replaces the ACL or filter command with the new one. The new ACL or filter, with logging
enabled, takes effect immediately.
The in parameter applies the ACL to incoming traffic on the interface to which you apply the ACL. You can apply
the ACL to an Ethernet port or virtual interface.
To Next Page
Loading...
Need help?
General
