Specifications
acl permit|deny ip
46 SSR Command Line Interface Reference Manual
<DstAddr/Mask> The destination address and the filtering mask of this flow. The same
requirements and restrictions for <SrcAddr/Mask> apply to
<DstAddr/Mask>.
<SrcPort> For TCP or UDP, the number of the source TCP or UDP port. This field
applies only to TCP or UDP traffic. If the incoming packet is ICMP or
another non-TCP or non-UDP packet and you specified a source or
destination port, the SSR does not check the port value. The SSR checks
only the source and destination IP addresses in the packet.
You can specify a range of port numbers using operator symbols; for
example, 10-20 (between 10 and 20 inclusive), >1024 (greater than 1024),
<1024 (less than 1024), !=1024 (not equal to 1024). The port numbers of
some popular services are already defined as keywords. For example,
for Telnet, you can enter the port number 23 as well as the keyword
telnet.
<DstPort> For TCP or UDP, the number of the destination TCP or UDP port. This
field applies only to incoming TCP or UDP traffic. The same
requirements and restrictions for <SrcPort> apply to <DstPort>.
<tos> IP TOS (Type of Service) value. You can specify a TOS value from 0 – 15.
accounting Valid with the permit command only. This keyword causes LFAP
accounting information to be sent to the configured server for flows
that match the ACL.
Restrictions
When you apply an ACL to an interface, the SSR appends an implicit deny rule to that ACL.
The implicit deny rule denies all traffic. If you intend to allow all traffic that doesn’t
match your specified ACL rules to go through, you must explicitly define a rule to permit
all traffic.
Examples
To create an ACL to permit IP traffic from the subnet 10.1.0.0 (with a 16 bit netmask) to
any destination:
The following command creates an ACL to deny any incoming TCP or UDP traffic coming
from a privileged port (less than 1024). If the incoming traffic is not TCP or UDP, then the
ssr(config)# acl 100 permit ip 10.1.0.0/16 any