Table of Contents
Advertisement
C H A P T E R 1 4
Access Policies
"implicit deny" or "implicit accept". If no access list entry is
satisfied, the default rule is used to determine whether the packet is
forwarded or dropped. If no default entry is specified, the implicit
behavior is to forward the packet.
The following example shows a default entry that is used to perform
an explicit deny function:
create access-list denyall ip dest 0.0.0.0/0
source 0.0.0.0/0 deny ports any
Once the default behavior of the access list is established, you may
create additional entries with precedence. The optional precedence
numbers range from 1 to 255, with the number 1 having the highest
precedence.
The following access-list example performs packet filtering in this
sequence, as determined by the precedence value:
•
Deny UDP port 32 and TCP port 23 traffic to the 10.2.XX
network.
•
All other TCP port 23 traffic destined for other 10.X.X.X
networks is permitted using Qp4.
•
All remaining traffic to 10.2.0.0 uses QoS profile Qp3.
With no default rule specified, all remaining traffic is allowed using
the default QoS profile.
create access-list deny102_32 udp dest 10.2.0.0/16
ip-port 32 source any ip-port any deny ports any
precedence 10
create access-list deny102_23 tcp dest 10.2.0.0/16
ip-port 23 source any ip-port any deny ports any
precedence 20
create access-list allow10_23 tcp dest 10.0.0.0/24
ip-port 23 source any ip-port any allow qosprofile
qp4 ports any precedence 30
create access-list allow102 ip dest 10.2.0.0/16
source 0.0.0.0/0 allow qosprofile qp3 ports any
precedence 40
255
Advertisement
Table of Contents
