Manuals / Brands / Computer Equipment / Network Router / Brocade Communications Systems / Computer Equipment / Network Router

Brocade Communications Systems RFS4000, RFS6000, RFS7000 Example - denying traffic to the interface

1 839

Download 839 pages, 5.39 Mb

Brocade Mobility RFS4000, RFS6000 and RFS7000 CLI Reference Guide 473

53-1001931-01

Standard ACL config commands 15

deny

Standard ACL config commands

Specifies packets to reject

Supported in the following platforms:

•Mobility RFS4000 Controller

•Mobility RFS6000 Controller

•Mobility RFS7000 Controller

Syntax

deny [<source-IP/Mask>|any|host <IP>]

{log} {rule-precedence

<1-5000>}

Parameters

Usage Guidelines

Use this command to deny traffic based on the source IP address or network address. The last ACE

in the access list is an implicit deny statement.

Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL.

It is allowed/denied based on the ACL configuration.

NOTE

The log option is functional only for router ACL’s. The log option results in an informational logging

message for the packet matching the entry sent to the console.

Example - denying traffic to the interface

The example below denies all traffic entering the interface (a log message is generated whenever

the interface receives a packet):

RFController(config-std-nacl)#deny any log rule-precedence 50

RFController(config-std-nacl)#

[<source-IP/Mask>|any|ho

st <IP>] {log}

{rule-precedence

<1-5000>}

Use with a deny command to reject packets

•<source-IP/Mask>|any|host <IP> – The keyword

<source-IP> is the source IP address of the network or host

in dotted decimal format. The <Mask> is the network mask.

For example, 10.1.1.10/24 indicates the first 24 bits of the

source IP is used for matching.

•any – any is an abbreviation for a source IP of 0.0.0.0 and

source-mask bits equal to 0

•host – host is an abbreviation for the exact source <IP>

(A.B.C.D format) and source-mask bits equal to 32

•log – Generates log messages when the packet coming from

the interface matches an ACL entry. Log messages are

generated only for router ACLs.

•rule-precedence <1-5000> – Defines an integer value

between 1-5000. This value sets the rule precedence in the

ACL..

Contents

Main Brocade Communications Systems, Incorporated Document History Sept 2010 Title Publication number Summary of changes Date Brocade Mobility RFS4000, RFS6000 and RFS7000 CLI Reference Guide About This Document 13 1 Introduction 21 2 Common Commands 31 3 User Exec Commands 155 4 Privileged Exec Commands 169 5 Global Configuration Commands 217 6 Crypto-isakmp Instance 327 7 Crypto-group Instance 341 8 Crypto-peer Instance 351 9 Crypto-ipsec Instance 361 10 Crypto-map Instance 371 11 Crypto-trustpoint Instance 387 12 Interface Instance 403 13 Spanning tree-mst Instance 435 14 Extended ACL Instance 449 15 Standard ACL Instance 471 16 Extended MAC ACL Instance 487 17 DHCP Server Instance 507 18 DHCP Class Instance 543 19 Radius Server Instance 555 20 Wireless Instance 589 21 RTLS Instance 705 22 ESPI Instance 729 23 RFID Instance 739 24 SOLE Instance 753 25 Smart RF Instance 767 26 Role Instance 801 27 AAP IP Filtering 819 About This Document Audience How to use this guide How to use this guide Chapter Supported hardware and software Document conventions Text formatting Page How to use this guide .Command syntax conventions Notes, cautions, and warnings Notice to the reader Web support sites Page 1 CLI overview Configuration for connecting to the CLI using a terminal emulator CLI Modes TABLE 1 Getting context sensitive help TABLE 1 Page Using the no and default command forms Basic conventions Using CLI editing features and shortcuts Moving the cursor on the command line Completing a partial command name TABLE 2 Deleting entries Re-displaying the Current Command Line Command output pagination Transposing mistyped characters Controlling Capitalization Page 2 Common commands Page Page Page Page Page Syntax(User Executable Mode) <temp-sensor-number> 01|05|15 <1-3> 128|128k|16k|1k|256|2k|32|32k|4k|512|64|64k|8k Page Page Page Page Page {<1-8192>|<MAC>} {<1-99>} {<SPECNAME>} {<1-1024>} Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page show Page Display Parameters Description Mode Example autoinstall banner commands Page Page environment history interfaces Page Page Page Page Page ldap Displays LDAP information licenses logging Page mac-address-table Page mobility Displays the mobility parameters Page ntp Displays NTP protocol information port-channel Page privilege radius redundancy dynamic-ap-load-balance redundancy group Page redundancy history redundancy members rtls Page Page smtp-notification Page snmp snmp-server Displays SNMP server information Page Displays Spanning Tree information Page static-channel-group Page timezone traffic-shape users version wireless {detail} {ap statistics {<1-1024>}} {<1-1000>} {<1-32> {detail}} Page Page Page Page (config-wireless) Executable Mode Displays the (config- wireless) configuration parameters and information Parameters (config-wireless) Executable Mode Page Page Page Page Common Commands 2-119 Page Page Common Commands 2-123 wlan-acl access-list aclstats alarm-log Page clock debugging dhcp file ftp password-encryption running-config Page Page securitymgr Page startup-config Page upgrade-status mac-name firewall role virtual-IP Global Config Mode Example Disables the virtual-ip protocol Removes the configured vmac on the controller Removes the configured virtual-ip of that vlan wwan aap-wlan-acl aap-wlan-acl-stats protocol-list service-list Page 3 User exec commands TABLE 3 Page Page Page cluster-cli disable enable logout page ping quit telnet traceroute 4 Priv Exec command TABLE 4 acknowledge archive Page cd change-passwd Page Page Page clock cluster-cli configure copy Priv Exec command 4 debug Use this command for debugging {[debug|err|info|warn]} {[all|events|kernel|packet]} {[all|err|info|warn]} Page Page Page Page delete diff dir disable edit enable erase halt kill logout mkdir more Page page ping pwd quit reload rename rmdir telnet Page traceroute upgrade Page upgrade - abort write format Page 5 Global Configuration commands Page Page aaa access-list Page Adds an Extended IP access list entry. Adds an Extended IP access list entry. autoinstall Page banner boot bridge country-code Page {<pass-phrase>} {dynamic} Page Page Page Page Page Use Case 1: Configuring Remote VPN Use the commands below to configure IPSec VPN on the controller: Use Case 2: Configuring Site-to-Site VPN Page d. Create and configure IPSec an transform set. e. Create and configure a crypto map. f. Associate the crypto map with a VLAN interface. do Page errdisable ftp hostname interface Page Page Page Page Page Page Page Create a USER class named MC800. The privilege mode changes to (config-dhcpclass). license line local logging Page Page mac-address-table mac-name Page ntp Page Page prompt radius-server ratelimit redundancy role Page rtls Page Note: The process restart is one count less than what is configured. Page smtp-notification Modifies SMTP notification parameters Page Page Page Page Page Page snmp-server Modifies SNMP engine parameters {[vlanUserLimitReached|webPortalUnavailabl e| webPortalUnreachable|webPortalUnconnected] } {<word>} {<1-65535>} Page Page Page Page Page Page Page Page Page timezone traffic-shape Page username Encrypting a Password vpn wireless wlan-acl Page Page network-element-id firewall Page virtual-ip Page wwan aap-wlan-acl arp Page aap-ipfilter-list whitelist Page 6 Crypto ISAKMP config commands Table 6 summarizes crypto-isakmp commands TABLE 6 authentication Page encryption Page Page Page hash Page lifetime Page Page Page Crypto ISAKMP config commands 7 Crypto Group config commands TABLE 7 Page dns Page Page Page Page Page Crypto Group config commands 7 wins 8 Crypto Peer config commands TABLE 8 Page Page Page Page Page Page set Page Crypto Peer config commands 9 Crypto IPSec config commands TABLE 9 Page Page Page mode Page Page Crypto IPSec config commands RFController(config-crypto-ipsec)#show Page Page 10 Crypto Map config commands TABLE 10 Page Page Page Page match Page Page Page set Page Page Page Crypto Map config commands 10 Page 11 crypto pki trustpoint Trustpoint (PKI) config commands Table 11 summarizes config-crypto-trustpoint commands: TABLE 11 Page company-name email Page Page fqdn Page ip-address Page password rsakeypair Page Page Trustpoint (PKI) config commands 11 subject-name 12 Interface config commands TABLE 12 Interface config commands Page Page description duplex Page Page Page Page Interface config commands 12 [<1-99>| <100-199>| <1300-1999>| <2000-2699>] <1-1000000> Creating helper address using DHCP server Configuring a static NAT source translation Page Page Page port-channel Configuring a port aggregation How src-dst-mac mode works How src-dst-ip mode works Why is src-dst-ip mode preferred Page Page Interface config commands 12 shutdown Page Interface config commands Page speed static-channel-group controllerport Page storm-control tunneling Page 13 mst config commands Table summarizes the (config-mst) commands: TABLE 13 Page Page Page Page instance name revision Page Page Page mst config commands 13 Page 14 Extended ACL config commands TABLE 14 Page Page Page Example - denying traffic between two subnets Example - denying TCP based traffic Example - denying UDP based traffic Example - denying ICMP based traffic Example - denying protocol based ACL Page Page Page Page Extended ACL config commands 14 Page Example - marking dot1p on TCP based traffic Example - marking tos on TCP based traffic Page Page Page Permitting IP based traffic Permitting Telnet based traffic Permitting ICMP based traffic Page Page Configuring IP Extended ACL Page 15 Standard ACL config commands TABLE 15 Page Example - denying traffic to the interface Use with a deny command to reject packets Page Page Page Page Use with a mark command to mark packets Marking tos for Source Network Traffic Page Example - permitting traffic to interface Use with a permit command to allow packets Page Page Page Use case: configuring IP standard ACL 15 Use case: configuring IP standard ACL Page 16 MAC Extended ACL config commands Table summarizes config-ext-macl commands: TABLE 16 Page Page Example - denying traffic from any MAC add ress Example - denying dot1q tagged traffic Example - denying traffic between two MAC based hosts Page Page Page Page Example - marking dot1p priority value for 802.1q tagged traffic Page Page Page Page Example - permitting WISP traffic Example - permitting ARP traffic Permitting IP traffic MAC Extended ACL config commands Page Page Configuring MAC Extended ACL 16 Configuring MAC Extended ACL MAC Extended ACLs contain rules based on the following parameters: Page 17 DHCP Config commands TABLE 17 DHCP Config commands (config-dhcp) instance configurations address bootfile class Creating a DHCP User Class config-dhcp-class address TABLE 18 client-identifier client-name Page ddns default-router dns-server domain-name Page Page hardware-address Page host lease DHCP Config commands netbios-name-server netbios-node-type network next-server Page option Page Page DHCP Config commands 17 update unitcast-enable Configuring the DHCP server using controller CLI Creating network pool Creating a Host Pool Troubleshooting DHCP Configuration Creating a DHCP Option 18 DHCP Server Class config commands TABLE 19 Page Page Page Page multiple-user-class multiple-user-class option user-class <class-name> option Creating a DHCP user class user-class <class-name> Page ? DHCP Server Class config commands 18 Page 19 (config-radsrv) Radius configuration commands Table 20 summarizes the Radius server configuration command: TABLE 20 authentication Setting eap-auth-type to tls ensures only tls authentication is serviced. ca Page crl-check Page Page clrscr TABLE 21 end exit group guest-group help no group Use this command to negate a command or set its defaults group policy Page rad-user rate-limit service show Page Examplecreating a group Page Page ldap-server Radius configuration commands 19 ame:-%{User-Name}}) Page nas Page proxy rad-user Page Page server Page Page Page ldap-group-verification Page 20 Wireless configuration commands This table summarizes (config-wireless) commands: Page TABLE 22 aap Page admission-control adopt-unconf-radio adoption-pref-id ap Defines the name, location and other parameters of access points Page Page wireless ap Page ap-containment ap-detection Configures access point detection parameters ap-image ap-ip Page ap-standby-attempts-threshold ap-timeout ap-udp-port auto-select-channels broadcast-tx-speed client Configuring a client config-wireless-client-list commands station wlan Page cluster-master-support convert-ap Converting an AP to sensor Page country-code Use the show wireless country code command to view the list of supported countries debug For all the above parameters, the following optional values are set: debug err info warn Page dhcp-one-portal-forward dhcp-sniff-state dot11-shared-key-auth Page Page fix-broadcast-dhcp-rsp Page hotspot load-balance mac-auth-local manual-wlan-mapping wireless-client mobility multicast-packet-limit multicast-throttle-watermark nas-id nas-port-id Page proxy-arp qos-mapping radio Page <40-180> Page The following is the list of parameters for the Page Page Page Page rate-limit secure-wispe-default-secret self-heal sensor Page <MAC> {[<0-8192>|<MAC>]} {[<1-4094>|description|mapping]} {<0-99> {<0-99>}} {<ap-index>} Page Page Page Page Page Page See also, service on page 37. To stop a service, use the no command. For instance, use no service wireless idle-radio-send-multicast enable to stop sending broadcast/multicast frames to idle radios Page Page Page Page Page Page Page Page Page smart-rf smart-scan-channels wlan Configures Wireless LAN related commands Manual mapping of wlan will be erased when the actual wlan is disabled and enabled. {limit <0-4096>} {logout-on-browser-close} {auth-port <port>} {auth-port <port>}| {auth-port <port>} {acct-port <port>} {auth-port <1024-65535>}| {port <1-65535>} {limit <0-8192>} Page Page Page Page Page Page Page Page Page Page Page Page Page Page wlan-bw-allocation dot11k wips Page Page non-preferred-ap-attempts-threshold test 21 (config-rtls) RTLS config commands This summarizes config-rtls commands: TABLE 23 aeroscout Page Page Page espi Page Page ekahau Page Page reference-tag rfid Page Page Page Page RTLS config commands site sole controller zone ap Page 22 ESPI config commands TABLE 24 adapter Page Page Page Page Page Page ESPI config commands 22 ESPI config commands Displays current system information ESPI config commands 23 RFID config commands TABLE 25 activate Page Page Page Page Page reader Page Page Page Page 24 (config-rtls) SOLE config commands Table 26 summarizes conf ig-rtls-sole commands: TABLE 26 Page Page Page Page locate aeroscout [enable|interval <5-3600> wireless-client [<MAC-Addr>| enable|interva redundancy redundancy enable Page SOLE config commands SOLE config commands Displays current system information SOLE config commands 24 rssi-filter aap-rssi-update-interval aap-rssi-update-interval wireless-client wireless-client 25 smart-rf config commands The following table summarizes config-wireless-smart-rf commands: TABLE 27 assignable-power-range auto-assign Page Page Page extensive-scan Page hold-time Page Page Page Page number-of-rescuers radio Page Page recover retry-threshold run-calibrate scan-dwell-time schedule-calibrate select-channels Page Page Page Page Page Page Page smart-rf-module verbose Page 26 (config-dhcp) For more information on the role command, see role on page 278. Role config commands The following table summarizes config-role commands: ap-location authentication-type encryption-type essid Page Page Page client-mac Page Page Page Page Page Page Role config commands Role config commands 26 Page 27 AAP IP Filter config commands TABLE 29 clear-all-rules Page Page Page Page Page Page Page Page Page Page Page Page Page Page AAP IP Filter config commands 27