The composite command can be any command defined in the composite operation list. These
commands are case-sensitive. To view the composite operation list for the access control list
you are working with, type the command
mode of the access control list.
The following example defines a rule in Access Control List 301 that denies access to all
incoming packets that contain IP fragments:
W310-1(super)# ip access-control-list 301
W310-1(super/ACL 301)# ip-fragments-in Deny
Done!
Defining Rules
This section provides information on how to configure rules in a policy list and contains the
following topics:
•
Overview of Rule Criteria
policy rules
•
Editing and Creating Rules
•
Rule Criteria
Overview of Rule Criteria
You can configure policy rules to match packets based on one or more of the following
criteria:
•
Source IP address, or a range of addresses
•
Destination IP address or a range of addresses
•
IP protocol, such as TCP, UDP, ICMP, IGMP
•
Source TCP or UDP port or a range of ports
•
Destination TCP or UDP port or a range of ports
•
ICMP type and code
Use IP wildcards to specify a range of source or destination IP addresses. The zero bits in the
wildcard correspond to bits in the IP address that remain fixed. The one bits in the wildcard
correspond to bits in the IP address that can vary. Note that this is the opposite of how bits
are used in a subnet mask.
For access control lists, you can require the packet to be part of an established TCP session.
If the packet is a request for a new TCP session, the packet does not match the rule. You can
also specify whether an access control list accepts packets that have an IP option field.
Avaya W310 User's Guide
show composite-operation
— an overview of the criteria that can be used in configuring
— instructions on how to edit or create a policy rule
— instructions on how to configure a policy rule's criteria
Configuring Policy
in the context mode
249