Access Control Lists — IP

acl-ip-create

Use this command to create an IP address for an Access Control List (ACL). ACLs are rules that you apply to allow or deny access to hosts or IP addresses.

Syntax   acl-ip-create name string [action permit | deny] [scope local| fabric] src-ip ip-address[src-ip-mask netmask] [dst-ip ip-address dst-ip-mask netmask] [proto [tcp|udp|icmp|igmp|ip]] [src-port src-port-number] [dst-port dst-port-number] [vnet vnet-name] [vlan vlan-id] [port port-number]

name string

Specifies the name of the ACL.

action
permit | deny

Specifies the permission of the ACL as either permit or deny.

scope

local|fabric

Specifies the scope of the ACL.

At least one of the following options:

src-ip ip-address

Specifies the source IP address of the ACL.

src-ip-mask netmask

Specifies the source IP mask of the ACL.

dst-ip ip-address

Specifies the destination IP address of the ACL.

dst-ip-mask netmask

Specifies the destination IP mask of the ACL.

Then any of the following options:

proto [tcp|udp|icmp|igmp|ip

Specifies the protocol flag filter of the ACL.

src-port src-port-number

Specifies the source port number.

dst-port dst-port-number

Specifies the destination port number

vnet vnet-name

Specify the name of the VNET.

vlan vlan-id

Specifies the VLAN to apply the ACL.

port port-number

If the scope is local, specifies the switch port of the ACL.

Defaults   None

Access   CLI

History   

Version 1.2.

Command introduced.

Version 2.4

The option, igmp, added to the parameter, protocol.

Version 2.4.1

The parameter, vnet, added.

Usage   IP ACLs can be used to filter network traffic. Use this command to create a new IP ACL.


 

Informational Note:  The source or destination IP address/mask of 0.0.0.0/255.255.255.255 means any.

The source or destination IP address/mask of 208.74.182.229/0.0.0.0 is the same as “host 208.74.182.229”.

Examples  This example shows how to create a fabric-wide ACL named MyWebACL allowing HTTP traffic (port 80) from any host to the web server with IP address 208.74.182.229.

CLI network-admin@switch > ip-acl-create name MyWebACL action permit scope fabric src-ip 0.0.0.0 src-msk 255.255.255.255 dst-ip 208.74.182.229 dst-msk 0.0.0.0 prot tcp src-port 80 dst-port 80

See Also