Fortinet 548B 7.22.2.5 access-list

- 394 -

A rule may either deny or permit traffic according to the specified classification fields. At a minimum, the

source and destination MAC value and mask pai rs must be specified, each of which may be substituted

using the keyword any to indicate a match on any val ue in that field. The bpdu keyword may be specifie d

for the destination MAC value/mask pair indicating a well-known BPDU MAC va lue of 01-80-c2-xx-xx-xx

(hex), where 'xx' indicates a don't care. The re maining command parameters are all optional.

The Ethertype may be specified as either a keyword or a four-digit hexadecimal value from

0x0600-0xFFFF. The currently suppo rt ed <ethertypekey> values are: appletalk, arp, ibmsna, ipv4, ipv6,

ipx, mplsmcast, mplsucast, netbios, novell, pppoe, rarp. Each of these translates into its equivalent

Ethertype value(s).

The vlan and cos parameters refer to the VLAN identifier and 802.1p user priority fields, respectively, of

the VLAN tag. For packets containing a double VLAN tag, this is the first (or outer) tag.

The assign-queue parameter allows specification of a particular hardware queue for handling traffic that

matches this rule. The allowed <queue-id> value i s 0-(n-1), where n is the numb er of user configurable

queues available for the hardware platform.

The mirror parameter allows the traffic matchin g this rule to be copied to the spe cified <slot/p ort>, while

the redirect parameter allows the traffic matching this rule to be forwarded to the specified <slot/port>

The assign-queue and redirect parameters are only valid for a 'permit' rule.

Syntax

{del-rule-id | deny | permit} {{<srcmac> <srcmask>} | any} {{<d stmac> <dstmask>} | any | bpdu}

[<ethertypekey> | <0x0600-0xFFFF>] [vlan {{eq <0-4095>}} [ cos <0-7>] [log] [assign-qu eue

<queue-id>] [{mirror | redirect} <slot/port>] [<rule-id>]

Default Setting

None

Command Mode

Mac Access-l ist Config

7.22.2.5 access-list

This command creates an Access Control List (ACL) that is identified by the parameter.

Syntax

access-list {(<1-99> {deny | permit} {every | <srcip> <srcm ask>}) | ( {<100-199 > {d eny | permit} {every

| {{icmp | igmp | ip | tcp | udp | <number>} any | <srcip> <srcmask> [{eq {<0-6553 5> | <portkey>}]( any |

<dstip> <dstmask>) [{eq {<0-655 35> | <portkey>}] {[pre cedence <precedence>] | [tos <tos>

<tosmask>] | [dscp <dscp>] [log] [assign-queue <queue-id>] [{mirror | redirect} <sl ot/port>]

[<rule-id>]}}}})}

<accesslistnumber> - The ACL numbe r is an integer from 1 to 199. The range 1 to 99 is for the

normal ACL List and 100 to 199 is for the extended ACL List.