Extreme Networks ExtremeWare XOS Guide Manual page 274

Access Lists (ACLs)
entry icmp {
if {
source-address 10.203.134.0/24;
protocol
icmp-type
} then {
deny;
count icmpcnt;
}
}
The following example prevents TCP connections from being established from the 10.10.20.0/24 subnet,
but allows established connections to continue, and allows TCP connections to be established to that
subnet. A TCP connection is established by sending a TCP packet with the SYN flag set, so this example
blocks TCP SYN packets. This example emulates the behavior of the ExtremeWare permit-established
ACL command:
entry permit-established {
if {
source-address 10.10.20.0/24;
protocol
tcp-flags
} then {
deny;
}
}
The following entry denies every packet and increments the counter default:
entry default {
if {
} then {
deny;
count default;
}
}
The following entry denies IPv6 packets from source addresses in the 2001:db8:c0a8::/48 subnets and to
destination addresses in the 2001:db8:c0a0:1234::/64 subnets:
entry ipv6entry {
if {
source-address 2001:DB8:C0A8:: / 48;
destination-address 2001:DB8:C0A0:1234:: / 64;
} then {
deny;
}
}
Conserving ACL Masks (BlackDiamond 8800 family and Summit X450 switches only)
The BlackDiamond 8800 family and Summit X450 switches have a total of sixteen ACL masks per port
on the switch. To avoid exhausting the masks available on the switch, you must carefully plan your use
of ACL masks.
274
icmp;
echo-request;
TCP;
syn;
ExtremeWare XOS 11.3 Concepts Guide