Specifications
21-22 topology Commands
Usage
Ifthespecifiedexceptionfilterpositionalreadycontainsanexceptionfilter,theconfigcommand
overwritestheexistingexceptionfilter.Usethecreatecommandtoinsertorappendanexception
filteratthe specifiedposition.
Ifadvancedfiltermodehasbeenenabledwiththeenable‐advance‐filteringcommand(page20‐3),
the
Advancedmodesyntaxispresented.Ifadvancedfiltermodeisnotenabled,theBasicmode
syntaxispresented.
Examples
Thefollowingexamplemodifiesanexistingfilter.
EWC.enterasys.com:topology:r1:l3:exceptions# config 2 proto tcp 1.1.1.1/32 port
80 in dst allow
proto{udp|tcp|ah|esp|none
|icmp|gre|<0‐255>}
Specifiestheprotocolforthisfilterrulebynumberorname.
Validnumbervaluesarefrom0–255.Validnamevaluesare:
• udp - UDP protocol
• tcp - TCP protocol
• ah - Authentication Header protocol
• esp - Encapsulating Security Payload protocol
• none - No protocols
• icmp - ICMP protocol
• gre - Generic Route Encapsulation protocol
A.B.C.D/<0‐32> SpecifiestheIPv4IPaddressandmask.
(port<0‐65535>[<0‐65535>]) SpecifiesaTCPorUDPportorportrangetowhichthisfilter
rulewillbeapplied.Thefirstvaluespecifieseithertheportor
thestartofaportrange.Thesecondvalueoptionallyspecifies
theendof
aportrange.Thisparameterisonlyvalidwheneither
TCPorUDPisthespecifiedprotocol.Validportvaluesarefrom
0–65535.
(type<0‐255>[<0‐255>]) SpecifiesanICMPtypeorrangeofICMPtypes.Thisparameter
isonlyvalidwhenICMPisthe sp ecifiedprotocol.Validvalues
arefrom
0–255.
Basic:in(none|dst)
Advanced:
in(none|src|dst|both)
Specifiesthedirectionofpacketflow—inspecifiesapacket
flowfromtheAPtotheAC.
nonespecifiesthattheindirectiondoesnotapplytothefilter
rule.
dstspecifiesthattheIPaddressfor thisfilterruleisthe
destinationofthe
packetflow.
srcspecifiesthattheIPaddressforthisfilterruleisthesourceof
thepacketflow.
bothspecifiesthattheIPaddressforthisfilterrulecanbeeither
sourceordestination.
(allow|deny) Specifieswhetherpacketswillbeallowedordeniedwhen
meetingthecriteriaspecifiedinthe
filterrule.