System information

ManualsBrandsCarrier Access ManualsNetwork CardAdit 3200

111

112

113

114

115

116

117

118

119

120

4-4 Adit 3000 CLI - Release 1.6

Global Configuration Mode

access-list

Use the access-list command to configure the advanced filtering entries. To delete an access list, see no

access-list command on page 4-34.

Syntax: (config)# access-list rule {new|rule-name} apply {eth-lan|

eth-wan|final|initial|ppp-wan} direction {in|out} operation

{accept|accept-packet|drop|reject} time-range {always|

schedule-name} src-host {address|address-range|any} dst-host

{address|address-range|any} service service-id frag

{enable|none} log {enable|none}

Example: (config)# access-list rule new apply eth-lan direction in

operation accept time-range always src-host any dst-host any

service 16777220 frag none log none

Supported Platforms:

Adit 3104, Adit 3200, Adit 3500

Field Definition

new Create a new Access list rule. Note: Do not use this new option when

using an Automated Provisioning System.

rule-name Enter an existing rule name to apply this command to.

eth-lan Ethernet LAN interface.

eth-wan Ethernet WAN interface.

initial Initial rules defined here will be applied first to the interface.

final Final rules defined here will be applied last to the interface.

ppp-wan PPP WAN interface.

in Filter the incoming traffic only.

out Filter the outgoing traffic only.

accept Allow access to packets that match the criteria defined. The data transfer

session will be handled using Stateful Packet Inspection (SPI), meaning

that other packets matching this rule will be automatically allowed access.

accept-list Allow access to packets that match the criteria defined. The data transfer

session will not be handled using SPI, meaning that other packets

matching this rule will not be automatically allowed access. This can be

useful, for example, when creating rules that follow broadcasting.

drop Deny access to packets that match the source and destination IP addresses

and service ports defined above.

reject Deny access to packets that match the criteria defined, and send an ICMP

error or a TCP reset to the origination peer.

always This rule will always take effect. Default.

schedule-name Apply the defined schedule times to this rule.

src-host The source address of packets sent or received from the LAN computer.

This entry is mandatory when denying a rule.

address - enter the source IP address

address-range - enter a range of source IP addresses

any - allow any IP address

dst-host Destination address of packets sent/received from the network object.

address - enter the destination IP address

address-range - enter a range of destination IP addresses.

any - allow any IP addresses.

service-id Enter the service number to apply the rule to. Note: Service ID number can

be displayed with the show service command, on page 3-54.

frag enable - Enable fragmentation.

none - Do not allow fragmentation.

log Enable or disables logging of packets matched by this rule.