Adit 3000 Series and Multi-Service Router (MSR) Card CLI Referece Manual

ManualsBrandsCarrier Access ManualsNetwork RouterAdit 3000 Series and Multi-Service Router (MSR) Card none

131

132

133

134

135

136

137

138

139

140

Adit 3000 (Rel. 1.6) and MSR Card (Rel 2.0) CLI 4-5

Global Configuration Mode

Global Configuration Commands

access-list

Use the access-list command to configure the advanced filtering entries. To delete an access list, see no

access-list command on page 4-37.

Syntax: (config)# access-list rule {new|rule-name} apply {eth-lan|

eth-wan|final|initial|ppp-wan} direction {in|out} operation

{accept|accept-packet|drop|reject} time-range {always|

schedule-name} src-host {address|address-range|any} dst-host

{address|address-range|any} service service-id frag

{enable|none} log {enable|none}

Field Definition

new Create a new Access list rule. Note: Do not use this new option when

using an Automated Provisioning System.

rule-name Enter an existing rule name to apply this command to.

eth-lan Ethernet LAN interface.

eth-wan Ethernet WAN interface.

initial Initial rules defined here will be applied first to the interface.

final Final rules defined here will be applied last to the interface.

ppp-wan PPP WAN interface.

in Filter the incoming traffic only.

out Filter the outgoing traffic only.

accept Allow access to packets that match the criteria defined. The data transfer

session will be handled using Stateful Packet Inspection (SPI), meaning

that other packets matching this rule will be automatically allowed access.

accept-list Allow access to packets that match the criteria defined. The data transfer

session will not be handled using SPI, meaning that other packets

matching this rule will not be automatically allowed access. This can be

useful, for example, when creating rules that follow broadcasting.

drop Deny access to packets that match the source and destination IP addresses

and service ports defined above.

reject Deny access to packets that match the criteria defined, and send an ICMP

error or a TCP reset to the origination peer.

always This rule will always take effect. Default.

schedule-name Apply the defined schedule times to this rule.

src-host The source address of packets sent or received from the LAN computer.

This entry is mandatory when denying a rule.

address - enter the source IP address

address-range - enter a range of source IP addresses

any - allow any IP address

dst-host Destination address of packets sent/received from the network object.

address - enter the destination IP address

address-range - enter a range of destination IP addresses.

any - allow any IP addresses.

service-id Enter the service number to apply the rule to. Note: Service ID number

can be displayed with the show service command, on page 3-61.