Table of Contents
Advertisement
Item
Action
Match Criteria (IPv4 ACLs)
Every
Protocol
Fragments
Source IP Address /
Wildcard Mask
Source L4 Port
Destination IP
Address / Wildcard
Mask
EKI-9500 Series User Manual
Description
The action to take when a packet or frame matches the criteria in the
rule:
Permit: The packet or frame is forwarded.
Deny: The packet or frame is dropped.
NOTE: When configuring ACL rules in the Add Access Control
List Rule window, the selected action determines which fields
can be configured. Not all fields are available for both Permit
and Deny actions.
When this option is selected, all packets will match the rule and will be
either permitted or denied. This option is exclusive to all other match
criteria, so if Every is selected, no other match criteria can be config-
ured. To configure specific match criteria, this option must be clear.
The IANA-assigned protocol number to match within the IP packet.
You can also specify one of the following keywords: EIGRP, GRE,
ICMP, IGMP, IP, IPIP, OSPF, PIM, TCP, or UDP. The function is only
available for IPv4 Extended and IPv4 Named ACLs.
IP ACL rule to match on fragmented IP packets. The function is only
available for IPv4 Extended and IPv4 Named ACLs.
The source port IP address in the packet and source IP wildcard mask
(in the second field) to compare to the IP address in a packet header.
Wild card masks determines which bits in the IP address are used and
which bits are ignored. A wild card mask of 255.255.255.255 indicates
that no bit is important. A wildcard of 0.0.0.0 indicates that all of the bits
are important. For example, enter a wildcard mask of 0.0.0.0 to specify
a host. Wildcard masking for ACLs operates differently from a subnet
mask. A wildcard mask is in essence the inverse of a subnet mask.
With a subnet mask, the mask has ones (1's) in the bit positions that
are used for the network address, and has zeros (0's) for the bit posi-
tions that are not used. In contrast, a wildcard mask has (0's) in a bit
position that must be checked. A '1' in a bit position of the ACL mask
indicates the corresponding bit can be ignored. This field is required
when you configure a source IP address.
The TCP/UDP source port to match in the packet header. Select one
of the following options: Equal, Not Equal, Less Than, Greater Than, or
Range and specify the port number or keyword. TCP port keywords
include BGP, Domain, Echo, FTP, FTP Data, HTTP, SMTP, Telnet,
WWW, POP2, and POP3. UDP port keywords include Domain, Echo,
NTP, RIP, SNMP, TFTP, TIME, and WHO. The function is only avail-
able for IPv4 Extended and IPv4 Named ACLs.
The destination port IP address in the packet and destination IP wild-
card mask (in the second field) to compare to the IP address in a
packet header. Wild card masks determines which bits in the IP
address are used and which bits are ignored. A wild card mask of
255.255.255.255 indicates that no bit is important. A wildcard of
0.0.0.0 indicates that all of the bits are important. For example, enter a
wildcard mask of 0.0.0.0 to specify a host. Wildcard masking for ACLs
operates differently from a subnet mask. A wildcard mask is in essence
the inverse of a subnet mask. With a subnet mask, the mask has ones
(1's) in the bit positions that are used for the network address, and has
zeros (0's) for the bit positions that are not used. In contrast, a wildcard
mask has (0's) in a bit position that must be checked. A 1 in a bit posi-
tion of the ACL mask indicates the corresponding bit can be ignored.
This field is required when you configure a destination IP address.
282
Advertisement
Table of Contents
