Foundry NetIron M2404C and M2404F Metro Access Switches
Configuring ACLs (Rev. 03)
Overview
© 2008 Foundry Networks, Inc
Page 13 of 50
Table 5: ACL Configuration Commands
Command
Description
access-list (standard)
Creates a standard IP ACL.
access-list (extended)
Creates an extended IP ACL.
access-list (extended
igmp)
Creates a Multicast Group extended IP ACL.
access-list (extended
mac)
Creates an extended MAC ACL.
access-list (ether type)
Creates an ACL based on the EtherType.
access-list remark
Writes an explanatory remark for an entry in an IP ACL.
Creating a Standard IP ACL
The standard
access-list
command, in Global Configuration mode, creates a standard IP ACL. The
no
form of this command removes the specified ACL.
The standard ACL filters traffic by the source IP address in the packet IP header.
In order to distinguish between standard Access Control Lists and other types of Access Control
Lists, the standard ACLs are created with
acl-number
values in the range 1 to 99.
Command Syntax
device-name
(config)#
access-list
<
acl-number
>
{
deny
|
permit
}
SOURCE
[
SOURCE-WILDCARD
] [
provider-vlan
<
vlan-id
> <
wildcard mask
>] [
vlan
<
vlan-
id
> <
wildcard mask
>] [
untagged
] [
vpt
<
priority
>] [
provider-vpt
<
priority
>]
precedence
<
precedence
>
tos
<
tos
>
device-name
(config)#
no access-list
<
acl-number
>
Argument Description
acl-number
Number used to identify the ACL. Valid values are in the range <1–99>.
deny
Denies access if the conditions are matched.
permit
Permits access if the conditions are matched.
SOURCE
Number of the network or host from which the packet is being sent.
There are three ways to specify the source:
1.
Use a 32-bit quantity in 4-part dotted-decimal format (A.B.C.D).
2.
Use the keyword
any
as an abbreviation for a
source
of 0.0.0.0 and
source-wildcard
of 255.255.255.255.
3.
Use
host
source
as an abbreviation for a
source
of 0.0.0.0 and
source-wildcard
0.0.0.0.
SOURCE-WILDCARD
(Optional). Wildcard bits to be applied to source. There are two ways to
specify the source wildcard:
1.
Use a 32-bit quantity in 4-part dotted-decimal format. Place
ones
in
the bit positions the user wants to ignore.
2.
Use
/M
to describe the IP mask.