Table of Contents
Advertisement
USING THE CLI
EXAMPLE:
To configure an IP access policy that globally accepts all FTP traffic without regard to network orientation, use the
wildcard value 'any' in place of an IP address and enter the following command:
FastIron(config)# ip access-policy 1 permit any any tcp eq ftp
EXAMPLE:
To configure an IP access policy that accepts only FTP traffic from a specific network, enter the following
command:
FastIron(config)# ip access-policy 1 permit 192.38.5.54 255.255.255.0 195.38.5.53
255.255.255.0 tcp eq ftp
The following syntax applies to Chassis devices.
Syntax: ip access-policy <num> deny | permit <ip-addr> <ip-mask> | any <ip-addr> <ip-mask> | any icmp | igmp |
igrp | ospf | tcp | udp | <num> [<operator> [<tcp/udp-port-num>]] [log]
ip access-policy-group in | out <policy-list>
The following syntax applies to Stackable device.
Syntax: ip access-policy <num> deny | permit <ip-addr> <ip-mask> | any <ip-addr> <ip-mask> | any tcp | udp
[<operator> [<tcp/udp-port-num>]] [log]
ip access-policy-group in | out <policy-list>
The <num> parameter is the policy number.
The deny | permit parameter specifies the action the router takes if a packet matches the policy.
•
If you specify deny, the router drops the packet.
•
If you specify permit, the router forwards the packet.
The <ip-addr> <ip-mask> | any <ip-addr> <ip-mask> | any parameters specify the source and destination IP
addresses. If you specify a particular IP address, you also need to specify the mask for that address. If you
specify any to apply the policy to all source or destination addresses, you do not need to specify any again for the
mask. Make sure you specify a separate address and mask or any for the source and destination address.
The icmp | igmp | igrp | ospf | tcp | udp | <num> parameter specifies the IP protocol to which you are applying
the policy. If you specify tcp or udp, you also can use the optional <operator> and <tcp/udp-port-num>
parameters to fine-tune the policy to apply to specific TCP or UDP ports.
The <operator> parameter applies only if you use the tcp or udp parameter above. Use the <operator>
parameter to specify the comparison condition for the specific TCP or UDP ports. For example, if you are
configuring QoS for HTTP, specify tcp eq http. You can enter one of the following operators:
•
eq – The policy applies to the TCP or UDP port name or number you enter after eq.
•
gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent
of the port name you enter after gt.
•
lt – The policy applies to TCP or UDP port numbers that are less than the port number or the numeric
equivalent of the port name you enter after lt.
•
neq – The policy applies to all TCP or UDP port numbers except the port number or port name you enter after
neq.
•
range – The policy applies to all TCP or UDP port numbers that are between the first TCP or UDP port name
or number and the second one you enter following the range parameter. The range includes the port names
or numbers you enter. For example, to apply the policy to all ports between and including 23 (Telnet) and 53
(DNS), enter the following: range 23 53. The first port number in the range must be lower than the last
number in the range.
December 2000
Policies and Filters
C - 11
- Quick Links:
- Configuring Ip Addresses
Hide quick links:
Advertisement
Chapters
Table of Contents
