Overview of rule criteria
You can configure policy rules to match packets based on one or more of the following criteria:
Source IP address, or a range of addresses
●
Destination IP address or a range of addresses
●
IP protocol, such as TCP, UDP, ICMP, IGMP
●
Source TCP or UDP port or a range of ports
●
Destination TCP or UDP port or a range of ports
●
ICMP type and code
●
Fragment
●
DSCP
●
Use IP wildcards to specify a range of source or destination IP addresses. The zero bits in the
wildcard correspond to bits in the IP address that remain fixed. The one bits in the wildcard
correspond to bits in the IP address that can vary. Note that this is the opposite of how bits are
used in a subnet mask.
For access control lists, you can require the packet to be part of an established TCP session. If
the packet is a request for a new TCP session, the packet does not match the rule. You can also
specify whether an access control list accepts packets that have an IP option field.
Editing and creating rules
To create or edit a policy rule, you must enter the context of the rule. If the rule already exists,
you can edit the rule from the rule context. If the rule does not exist, entering the rule context
creates the rule.
To enter a rule context:
1. Enter the context of the list in which you want to create or edit a rule.
2. Type the command ip-rule, followed by the number of the rule you want to create or edit.
For example, to create rule 1, type ip-rule 1.
You can use the description command in the rule context to add a description of the rule.
This description is used in the AccessViolation Policy trap to identify and describe the IP rule in
which the trap was caused.
Defining rules
Issue 1.1 June 2005
451