OnSite 2800 Series User Manual7 • Access control list configuration

Where the syntax is as following:

Keyword

Meaning

 

 

src

The source address to be included in the rule. An IP address in dotted-decimal-format, e.g.

 

64.231.1.10.

src-wildcard

A wildcard for the source address. Expressed in dotted-decimal format this value specifies

 

which bits are significant for matching. One-bits in the wildcard indicate that the corre-

 

sponding bits are ignored. An example for a valid wildcard is 0.0.0.255, which specifies

 

a class C network.

 

 

any

Indicates that IP traffic to or from all IP addresses is to be included in the rule.

host src

The address of a single source host.

 

 

dest

The destination address to be included in the rule. An IP address in dotted-decimal-format,

 

e.g. 64.231.1.10

dest-wildcard

A wildcard for the destination address. See src-wildcard.

 

 

host dest

The address of a single destination host.

msg name

The ICMP message name. The following are valid message names:

 

administratively-prohibited, alternate-address, conversion-error, dod-host-prohibited, dod-

 

net-prohibited, echo, echo-reply, general-parameter-problem, host-isolated, host-prece-

 

dence-unreachable, host-redirect, host-tos-redirect, host-tos-unreachable, host-unknown,

 

host-unreachable, information-reply, information-request, mask-reply, mask-request, mobile-

 

redirect, net-redirect, net-tos-redirect, net-tos-unreachable, net-unreachable, network-

 

unknown, no-room-for-option, option-missing, packet-too-big, parameter-problem, port-

 

unreachable, precedence-unreachable, protocol-unreachable, reassembly-timeout, redirect,

 

router-advertisement, router-solicitation, source-quench, source-route-failed, time-exceeded,

 

timestamp-reply, timestamp-request, traceroute, ttl-exceeded, unreachable

 

 

type type

The ICMP message type. A number from 0 to 255 (inclusive)

code code

The ICMP message code. A number from 0 to 255 (inclusive)

 

 

cos

Optional. Specifies that packets matched by this rule belong to a certain Class of Service

 

(CoS). For detailed description of CoS configuration refer to chapter 8, “Link scheduler

 

configuration” on page 93.

group

CoS group name.

 

 

If you place a deny ip any any rule at the top of an access-list profile, no packets will pass regardless of the other rules you defined.

Example: Create ICMP access control list entries

Select the access-list profile named WanRx and create the rules to filter all ICMP echo requests (as used by the ping command).

2800(cfg)#profile acl WanRx 2800(pf-acl)[WanRx]#deny icmp any any type 8 code 0 2800(pf-acl)[WanRx]#exit

2800(cfg)#

Access control list configuration task list

86

Page 85 Page 87
Page 86
Image 86
Patton electronic 2800 user manual Where the syntax is as following, Msg name
Page 85 Page 87
Top Page Image Contents