User guide
16-4 E
XTREME
W
ARE
S
OFTWARE
U
SER
G
UIDE
A
CCESS
P
OLICIES
The access-list example, below, performs packet filtering in the following sequence, as
determined by the precedence number:
• Deny UDP port 32 and TCP port 23 traffic to the 10.2.XX network.
• All other TCP port 23 traffic destined for other 10.X.X.X networks is permitted using
QoS profile Qp4.
• All remaining traffic to 10.2.0.0 uses QoS profile Qp3.
With no default rule specified, all remaining traffic is allowed using the default QoS
profile.
create access-list deny102_32 udp dest 10.2.0.0/16 ip-port 32 source
any ip-port any deny ports any precedence 10
create access-list deny102_23 tcp dest 10.2.0.0/16 ip-port 23 source
any ip-port any deny ports any precedence 20
create access-list allow10_23 tcp dest 10.0.0.0/8 ip-port 23 source any
ip-port any permit qosprofile qp4 ports any precedence 30
create access-list allow102 ip dest 10.2.0.0/16 source 0.0.0.0/0 permit
qosprofile qp3 ports any precedence 40
T
HE
PERMIT
-
ESTABLISHED
K
EYWORD
The
permit-established
keyword is used to directionally control attempts to open a
TCP session. Session initiation can be explicitly blocked using this keyword.
For an example of using the permit-established keyword, refer to Using the
Permit-Established Keyword, on page 16-11.
A
DDING
AND
D
ELETING
A
CCESS
L
IST
E
NTRIES
Entries may be added and deleted to the access list. To add an entry, you must supply a
unique name and, optionally, a unique precedence number. To modify an existing entry,
you must delete the entry and retype it, or create a new entry with a new unique name.
To delete an access list entry, use the command:
delete access-list <name>