Ethernet Switches & Routers

Reply
New Contributor
Posts: 2
Registered: ‎08-12-2016
Accepted Solution

Assigning ACL to a port for incoming and outgoing

I'm having a bear of a time assigning an ACL to an interface.  We have a Brocade CES2024C and it is an edge router we want to pass all traffic along to our Firewall where we will do our port blocking/allowing, etc.  So, everything was going great, I created an ACL 100 to permit all tcp and udp traffic (I think) and the last piece is I want to assign it to our interfaces from the ISP (I have cofirmed the ISP is not blocking any ports), interfaces 1/1 and 2/2.  Below is my config, thanks in advance!!  Oh, and here is what I was trying to do according to the documentation:

SSH@NetIron CES 2024C-4X(config)#int eth 1/1
SSH@NetIron CES 2024C-4X(config-if-e1000-1/1)#ip access-group 100 in
Invalid input -> access-group 100 in
Type ? for a list

 

As promised, here is my config:

!
Startup-config data location is flash memory
!
Startup configuration:
!
ver V5.6.0fT183
!
!
!
!

!
no spanning-tree
!
!
vlan 1 name DEFAULT-VLAN
!
vlan 500 name To_Internal
untagged e 1/2 e 2/1
router-interface ve 50
!
vlan 1001
untagged e 1/1 e 2/2
router-interface ve 101
!
vlan 1455 name Sovernet_I2
tagged e 1/1 e 2/2
router-interface ve 145
!

!
system-max ip-cache 32768
system-max ip-route 32768
!
!
aaa authentication snmp-server default local
aaa authentication login default local
aaa authentication login privilege-mode
!
!
enable aaa console
console timeout 10
username manager password 8 $1$0E5..0V.$EJ3/ZYS3F9xweT1Elqo5s1
username manager history $1$F/1..Gf.$XSA.6oB5bjUnZmbpLPIQP/
!
ip as-path access-list permit-local seq 10 permit ^$
ip route 0.0.0.0/0 OURGATEWAYIP 
!
!
!
!
!
cdp run
fdp run
sflow enable
ssh access-group "SSH-ACL"
!
!
!
!
!
!
!
interface management 1
ip address 193.1.1.1/24
enable
!
interface ethernet 1/1
enable
!
interface ethernet 1/2
enable
!
interface ethernet 2/1
enable
!
interface ethernet 2/2
enable
!
interface ethernet 2/3
enable
!
interface ethernet 2/4
enable
!
interface ve 50
ip address Static Public
!
interface ve 101
ip address IPADDRESS
!
interface ve 145
ip address ANOTHERNETWORKIP
!
!
!
router bgp
local-as 65003
neighbor OURBGPFRIEND remote-as 1351
neighbor SAME soft-reconfiguration inbound

address-family ipv4 unicast
network IPADDRESS
neighbor ANOTHERIP filter-list permit-local out
exit-address-family

address-family ipv4 multicast
exit-address-family

address-family ipv6 unicast
exit-address-family

address-family ipv6 multicast
exit-address-family



!
!
!
access-list 100 sequence 10 permit tcp any any
access-list 100 sequence 20 permit udp any any
!
ip access-list standard SSH-ACL
sequence 10 permit host IPADDRESSFORSSH log
sequence 20 permit host 193.1.1.101 log
sequence 30 deny any log
!
!
!
!
!
!
end

Brocade Moderator
Posts: 61
Registered: ‎06-10-2009

Re: Assigning ACL to a port for incoming and outgoing

Hi,

 

Because the physical interface is part of a VLAN which has a routing interface configured (VLAN 1001 and VE 101) you will need to apply the ACL to the VE interface and not the physical interface.

 

eg

int ve 101

ip access-group 100 in

 

Regards

Steve

New Contributor
Posts: 2
Registered: ‎08-12-2016

Re: Assigning ACL to a port for incoming and outgoing

Thanks Steve, that worked.  Would it require a reboot?

Brocade Moderator
Posts: 61
Registered: ‎06-10-2009

Re: Assigning ACL to a port for incoming and outgoing

Reboot is not required.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.