Table of Contents
Advertisement
Introduction
CREATE ACCESSLIST
Syntax
CREATE ACCESSLIST=accesslistname
[ DEFAULTRULE { PERMIT | DENY } ]
[ IPSOURCE={ipaddress | ANY }
[ SOURCEMASK=mask ] ]
[ IPDEST={ ipaddress | ANY } [DESTMASK=mask ] ]
[ MACSOURCE={ macaddress | ANY } ]
[ MACDEST={ macaddress| ANY } ]
[ APPLICATION={ DHCPSERVER | DHCPCLIENT | NETBIOS | FUM | TELNET|
SSH | SNMP | FTP | TFTP } ]
[ TCPPORTDEST={ tcp-port-list | ANY } ]
[ TCPPORTSOURCE={ tcp-port | ANY } ]
[ UDPPORTDEST={ udp-port-list | ANY } ]
[ UDPPORTSOURCE={ udp-port | ANY } ]
[ PROTOCOL={ IPV4 | IPV6 | protocol-type | ANY } ]
[ IPPROTOCOL={ TCP | UDP | ICMP | IGMP | ipprotocol-type |ANY } ] ]
[ INTERFACE={ type:id-range | id-range | ifname-list } ]
Creates an ACCESSLIST. ACCESSLISTs are used to filter traffic at ingress to an interface
Description
or set of interfaces. An ACCESSLIST contains a group of RULEs each of which supports
performing an action to certain received packets. Actions are restricted to blocking or
allowing traffic. The use of RULE and/or INTERFACE during the creation of ACCESS-
LISTs is optional. RULEs may be added to the ACCESSLIST and/or the ACCESSLIST
added to INTERFACEs later using the ADD ACCESSLIST commands. An ACCESSLIST
RULE has:
A match rule, which is a set of fieldname/fieldvalue pairs that discriminate among packets.
A packet matches this rule only if all of the specified fields have the values specified. A
match rule with no fieldname/fieldvalue pairs specified would match all packets.
The action that is to be performed if the incoming packet matches the RULE's match
rule. The valid actions are PERMIT and DENY. The match rule and action are specified
together by CREATE ACCESSLIST, ADD ACCESSLIST RULE, and SET ACCESSLIST
RULE commands.
The numbering of ACCESSLIST RULEs represents the relative precedence of that RULE
to other RULEs in the list. RULE 1 is checked before rule 2 and so on. For example, if
RULE 1 is a DENY that matches IPSOURCE 1.1.1.1 and RULE 2 is a PERMIT that
matches all packets, then all packets are PERMITED except those from the address
1.1.1.1. RULE numbers can change as RULEs are inserted or removed.
All ACCESSLISTs contain the DEFAULTRULE which has the default DENY. (This can be
changed to PERMIT.) This means that a default ACCESSLIST (i.e. one created by CREATE
ACCESSLIST with no rules) would always drop all packets.
An ACCESSLIST may be associated with many INTERFACEs. ACCESSLISTs are associ-
ated to INTERFACEs during creation using the CREATE ACCESSLIST command or after-
6-42
Software Reference for SwitchBlade x3100 Series Switches (Access and Security)
Configuring ACL
Advertisement
Chapters
Table of Contents
Troubleshooting
