Global Configuration Mode

Global Configuration Commands

access-list

Use the access-listcommand to configure the advanced filtering entries. To delete an access list, see no access-listcommand on page 4-37.

Syntax: (config)# access-list rule {newrule-name} apply {eth-lan eth-wanfinalinitialppp-wan} direction {inout} operation {acceptaccept-packetdropreject} time-range {always schedule-name} src-host {addressaddress-rangeany} dst-host {addressaddress-rangeany} service service-idfrag {enablenone} log {enablenone}

Field

Definition

new

Create a new Access list rule. Note: Do not use this new option when

 

using an Automated Provisioning System.

 

 

rule-name

Enter an existing rule name to apply this command to.

 

 

eth-lan

Ethernet LAN interface.

 

 

eth-wan

Ethernet WAN interface.

 

 

initial

Initial rules defined here will be applied first to the interface.

 

 

final

Final rules defined here will be applied last to the interface.

 

 

ppp-wan

PPP WAN interface.

 

 

in

Filter the incoming traffic only.

 

 

out

Filter the outgoing traffic only.

 

 

accept

Allow access to packets that match the criteria defined. The data transfer

 

session will be handled using Stateful Packet Inspection (SPI), meaning

 

that other packets matching this rule will be automatically allowed access.

 

 

accept-list

Allow access to packets that match the criteria defined. The data transfer

 

session will not be handled using SPI, meaning that other packets

 

matching this rule will not be automatically allowed access. This can be

 

useful, for example, when creating rules that follow broadcasting.

 

 

drop

Deny access to packets that match the source and destination IP addresses

 

and service ports defined above.

 

 

reject

Deny access to packets that match the criteria defined, and send an ICMP

 

error or a TCP reset to the origination peer.

 

 

always

This rule will always take effect. Default.

 

 

schedule-name

Apply the defined schedule times to this rule.

 

 

src-host

The source address of packets sent or received from the LAN computer.

 

This entry is mandatory when denying a rule.

 

address - enter the source IP address

 

address-range- enter a range of source IP addresses

 

any - allow any IP address

 

 

dst-host

Destination address of packets sent/received from the network object.

 

address - enter the destination IP address

 

address-range- enter a range of destination IP addresses.

 

any - allow any IP addresses.

 

 

service-id

Enter the service number to apply the rule to. Note: Service ID number

 

can be displayed with the show service command, on page 3-61.

 

 

Adit 3000 (Rel. 1.6) and MSR Card (Rel 2.0) CLI

4-5

Page 130 Page 132
Page 131
Image 131
Carrier Access none manual Access-list
Page 130 Page 132
Top Page Image Contents