Defining global rules
In an access control list, you can define global rules for packets that contain IP fragments and IP
options. These rules apply to all packets. This is in contrast to individual rules, which apply to
packets that match certain defined criteria. See
The G250/G350 applies global rules before applying individual rules.
1. Enter the context of the access control list in which you want to define the rule.
2. Enter one of the following commands, followed by the name of a composite command:
- ip-fragments-in — applies to incoming packets that contain IP fragments
- ip-fragments-out — applies to outgoing packets that contain IP fragments
- ip-options-in — applies to incoming packets that contain IP options
- ip-options-out — applies to outgoing packets that contain IP options
The composite command can be any command defined in the composite operation list. These
commands are case-sensitive. To view the composite operation list for the access control list
you are working with, type the command show composite-operation in the context of the
access control list.
The following example defines a rule in Access Control List 301 that denies access to all
incoming packets that contain IP fragments:
G350-001(super)# ip access-control-list 301
G350-001(super/ACL 301)# ip-fragments-in Deny
Done!
Defining rules
You can configure policy rules to match packets based on one or more of the following criteria:
Source IP address, or a range of addresses
●
Destination IP address or a range of addresses
●
IP protocol, such as TCP, UDP, ICMP, IGMP
●
Source TCP or UDP port or a range of ports
●
Destination TCP or UDP port or a range of ports
●
ICMP type and code
●
Fragment
●
DSCP
●
Defining rules
on page 539.
Issue 3 February 2007
Defining global rules
539