Specifications

ManualsBrandsEnterasys ManualsComputer equipmentAPS-3000

441

442

443

444

445

446

447

448

449

450

20-10 policy Commands

Usage

Ifthespecifiedrulepositionalreadycontainsafilterrule,specifyingaruleusingthiscommand

insertsaruleinthespecifiedpositioninthelistandresequencesallrulesbelowthisfilterdownby

oneposition.Usethecreatecommandtoinsertorappend aruleatthespecifiedposition.



Ifadvancedfiltermodehasbeenenabledwiththeenable‐advance‐filteringcommand(page20‐3),

theAdvancedmodesyntaxispresented.Ifadvancedfiltermodeisnotenabled,theBasicmode

syntaxispresented.

Examples

Thefollowingexampleshowsthedefaultfilterrulesappliedtoapolicy.

EWC.enterasys.com:policy# create p6

EWC.enterasys.com:policy# show p6 acfilter

Enable AP filtering: disable

filter 1 (default) proto none 0.0.0.0 all_ports in dst out none allow

filter 2 (default) proto none 0.0.0.0 all_ports in none out src allow

Thefollowingexamplecreatesa(basicmode)filterrule1thatallowsUDPtrafficinboth

directionsfromIPaddress192.168.10.0/24forports10through2000:

EWC.enterasys.com:policy:Auth:acfilters# create 1 proto udp 192.168.10.0/24 port

10 2000 in dst out src allow

EWC.enterasys.com:policy:Auth:acfilters# apply

EWC.enterasys.com:policy:Auth:acfilters# show

Enable AP filtering: disable

filter 1 proto udp 192.168.10.0 255.255.255.0 port 10 2000 in dst out src allow

filter 2 (default) proto none 0.0.0.0 all_ports in dst out none allow

filter 3 (default) proto none 0.0.0.0 all_ports in none out src allow

Thefollowingexamplecreatesafilter rule1thatisinsertedintotherulelistatposition1

resequencingthecurrentrule1.ThisfilterruleallowsTCPtrafficinbothdirectionsfromIP

address192.168.0.0/16forports10through20000:

EWC.enterasys.com:policy:Auth:acfilters# create 1 proto tcp 192.168.0.0/16 port

10 2000 in dst out src allow

EWC.enterasys.com:policy:Auth:acfilters# show

Enable AP filtering: disable

Basic:out(none|src)

Advanced:

out(none|src|dst|both)

Specifiesthedirectionofpacketflow.—outspecifiesapacketflow

fromtheACtotheAP.

nonespecifiesthattheoutdirectiondoesnotapplytothefilterrule.

dstspecifiesthattheIPaddressforthisfilterruleisthedestinationof

thepacket

flow.

srcspecifiesthattheIPaddressforthisfilterruleisthesourceofthe

packetflow.

bothspecifiesthattheIPaddressforthisfilterrulecanbeeither

sourceordestination.

allow|deny Specifieswhetherpacketswillbeallowedordeniedwhenmeetingthe

criteriaspecifiedin

thefilterrule.