Foundry Networks Switch and Router Installation And Configuration Manual page 1020

Foundry Switch and Router Installation and Configuration Guide
• Less – The policy applies to TCP or UDP port numbers that are less than the port number or the numeric
equivalent of the port name you specify.
• Not Equal – The policy applies to all TCP or UDP port numbers except the port number or port name you
specify.
• Established (applies only to TCP) – This operator applies only to TCP packets. If you use this operator,
the policy applies to TCP packets that have the ACK (Acknowledgment) or RST (Reset) bits set on
(set to "1") in the Control Bits field of the TCP packet header. Thus, the policy applies only to established
TCP sessions, not to new sessions. See Section 3.1, "Header Format", in RFC 793 for information about
this field.
• Range – The policy applies to all TCP or UDP port numbers that are between the first TCP or UDP port
name or number and the second one you specify. The range includes the port names or numbers you
enter. For example, to apply the policy to all ports between and including 23 (Telnet) and 53 (DNS),
specify the following: "23 53". The first port number in the range must be lower than the last number in
the range.
11. If you selected a comparison operator, enter the port number in the TCP/UDP port field. For example, if you
selected TCP and Equal and you want to filter on HTTP traffic, enter the value 80 (the well-known port
number for HTTP).
NOTE: You must enter the port's number instead of the well-known name.
12. Click the Add button to save the change to the device's running-config file.
13. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change
to the startup-config file on the device's flash memory.
14. Go to "Applying IP Access Policies to Ports" on page C-16. The policy does not take effect until you apply it
to a port.
Modifying or Deleting an IP Access Policy
To modify or delete an IP access policy:
1. Log on to the device using a valid user name and password for read-write access. The System configuration
dialog is displayed.
2. Click on the plus sign next to Configure in the tree view to expand the list of configuration options.
3. Click on the plus sign next to IP in the tree view to expand the list of IP option links.
4. Click the Access Policy link to display the IP Access Policy table.
5. Click the Modify or Delete button on the row for the policy you want to modify or delete.
6. Select the Save link at the bottom of the dialog. Select Yes when prompted to save the configuration change
to the startup-config file on the device's flash memory.
7. If you modified a policy that is not yet assigned to a port, go to "Applying IP Access Policies to Ports" on
page C-16. The policy does not take effect until you apply it to a port.
Applying IP Access Policies to Ports
Once you define an IP access policy, you can apply it to the inbound or outbound traffic on a port by configuring an
IP access policy group for the port. Policies within the group are applied in positional order from left to right. Make
sure you specify the policies in the order you want the device to apply them.
USING THE CLI
To assign IP access policies 2, 3, and 5 to port 1 on module 2 of a Chassis device, enter the following commands:
BigIron(config)# interface e 2/1
BigIron(config-if-2/1)# ip access-policy-group in 2 3 5
Syntax: ip access-policy-group in | out <policy-list>
C - 16 December 2000