Ethernet Switches & Routers

Reply
New Contributor
Posts: 2
Registered: ‎08-12-2016
Accepted Solution

Assigning ACL to a port for incoming and outgoing

I'm having a bear of a time assigning an ACL to an interface.  We have a Brocade CES2024C and it is an edge router we want to pass all traffic along to our Firewall where we will do our port blocking/allowing, etc.  So, everything was going great, I created an ACL 100 to permit all tcp and udp traffic (I think) and the last piece is I want to assign it to our interfaces from the ISP (I have cofirmed the ISP is not blocking any ports), interfaces 1/1 and 2/2.  Below is my config, thanks in advance!!  Oh, and here is what I was trying to do according to the documentation:

SSH@NetIron CES 2024C-4X(config)#int eth 1/1
SSH@NetIron CES 2024C-4X(config-if-e1000-1/1)#ip access-group 100 in
Invalid input -> access-group 100 in
Type ? for a list

 

As promised, here is my config:

!
Startup-config data location is flash memory
!
Startup configuration:
!
ver V5.6.0fT183
!
!
!
!

!
no spanning-tree
!
!
vlan 1 name DEFAULT-VLAN
!
vlan 500 name To_Internal
untagged e 1/2 e 2/1
router-interface ve 50
!
vlan 1001
untagged e 1/1 e 2/2
router-interface ve 101
!
vlan 1455 name Sovernet_I2
tagged e 1/1 e 2/2
router-interface ve 145
!

!
system-max ip-cache 32768
system-max ip-route 32768
!
!
aaa authentication snmp-server default local
aaa authentication login default local
aaa authentication login privilege-mode
!
!
enable aaa console
console timeout 10
username manager password 8 $1$0E5..0V.$EJ3/ZYS3F9xweT1Elqo5s1
username manager history $1$F/1..Gf.$XSA.6oB5bjUnZmbpLPIQP/
!
ip as-path access-list permit-local seq 10 permit ^$
ip route 0.0.0.0/0 OURGATEWAYIP 
!
!
!
!
!
cdp run
fdp run
sflow enable
ssh access-group "SSH-ACL"
!
!
!
!
!
!
!
interface management 1
ip address 193.1.1.1/24
enable
!
interface ethernet 1/1
enable
!
interface ethernet 1/2
enable
!
interface ethernet 2/1
enable
!
interface ethernet 2/2
enable
!
interface ethernet 2/3
enable
!
interface ethernet 2/4
enable
!
interface ve 50
ip address Static Public
!
interface ve 101
ip address IPADDRESS
!
interface ve 145
ip address ANOTHERNETWORKIP
!
!
!
router bgp
local-as 65003
neighbor OURBGPFRIEND remote-as 1351
neighbor SAME soft-reconfiguration inbound

address-family ipv4 unicast
network IPADDRESS
neighbor ANOTHERIP filter-list permit-local out
exit-address-family

address-family ipv4 multicast
exit-address-family

address-family ipv6 unicast
exit-address-family

address-family ipv6 multicast
exit-address-family



!
!
!
access-list 100 sequence 10 permit tcp any any
access-list 100 sequence 20 permit udp any any
!
ip access-list standard SSH-ACL
sequence 10 permit host IPADDRESSFORSSH log
sequence 20 permit host 193.1.1.101 log
sequence 30 deny any log
!
!
!
!
!
!
end

Brocade Moderator
Posts: 73
Registered: ‎06-10-2009

Re: Assigning ACL to a port for incoming and outgoing

Hi,

 

Because the physical interface is part of a VLAN which has a routing interface configured (VLAN 1001 and VE 101) you will need to apply the ACL to the VE interface and not the physical interface.

 

eg

int ve 101

ip access-group 100 in

 

Regards

Steve

New Contributor
Posts: 2
Registered: ‎08-12-2016

Re: Assigning ACL to a port for incoming and outgoing

Thanks Steve, that worked.  Would it require a reboot?

Brocade Moderator
Posts: 73
Registered: ‎06-10-2009

Re: Assigning ACL to a port for incoming and outgoing

Reboot is not required.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Download FREE NVMe eBook