to compare with the incoming packets, and an action to take for packets that match. When you create
an access list, you must specify a value for each of the fields that make up the access mask used by the
list.
To create an access list, use the following command:
create access-list <name> access-mask <access-mask name> {dest-mac <dest_mac}
{source-mac <src_mac>} {vlan <name>} {ethertype [IP | ARP | <hex_value>]} {tos
<ip_precedence> | code-point <code_point>} {ipprotocol [tcp | udp | icmp | igmp |
<prococol_num>]} {dest-ip <dest_IP>/<mask length>} {dest-L4port <dest_port>}
{source-ip <src_IP>/<mask length>} {source-L4port <src_port> [permit {qosprofile
<qosprofile>} {set code-point <code_point>} {set dot1p <dot1p_value} |
permit-established | deny]
NOTE
The parameters of the create access list command must match identically to the parameters of the
create access-mask. The order of the parameters is also important. If the parameter are out-of-order,
many of the options become unavailable to the user.
For packets that match a particular access list, you can specify the following actions:
• Deny—Matching packets are not forwarded.
• Permit-established—Drop the packet if it would initiate a new TCP session (see, "The
permit-established Keyword" on page 145).
• Permit—Forward the packet. You can send the packet to a particular QoS profile, and modify the
packet's 802.1p value and/or DiffServ code point.
If a packet matches more than one access list, the switch uses the following rules to govern the actions
of the packet:
• If the actions specified by the matching ACLs do not conflict, all of the actions are carried out.
• If the actions conflict, the associated access mask precedence determines the course of action. The
access list with the highest precedence access-mask prevails.
To display information about one or more access lists, use the following command:
show access-list {<name> | port <portlist>}
To delete an access list, use the following command:
delete access-list <name>
Rate Limits
Rate limits are almost identical to access control lists. Incoming packets that match a rate limit access
control list are allowed as long as they do not exceed a pre-defined rate. Excess packets are either
dropped, or modified by resetting their DiffServ code point.
Each entry that makes up a rate limit contains a unique name and specifies a previously created access
mask. Like an access list, a rate limit includes a list of values to compare with the incoming packets and
an action to take for packets that match. Additionally, a rate limit specifies an action to take when
ExtremeWare 7.2e Installation and User Guide
IP Access Lists (ACLs)
143