User guide
16-8 E
XTREME
W
ARE
S
OFTWARE
U
SER
G
UIDE
A
CCESS
P
OLICIES
create access-list <name> tcp destination
[<dst_ipaddress>/<dst_mask> | any] ip-port
[<dst_port> | range <dst_port_min>
<dst_port_max> | any] source
[<src_ipaddress>/<src_mask> | any] ip-port
[<src_port> | range <src_port_min>
<src_port_max> | any] [permit <qosprofile> |
permit-established | deny] ports [<portlist> |
any] {precedence <precedence_num>} {log}
Creates a named IP access list. The access list
is applied to all ingress packets. Options include:
■
<name> — Specifies the access list name.
The access list name can be between 1 and
16 characters.
■
tcp — Specifies that the rule applies to TCP
traffic.
■
destination — Specifies an IP destination
address and subnet mask. A mask length of
32 indicates a host entry.
■
source — Specifies an IP source address
and subnet mask.
■
permit-established — Specifies a
uni-directional session establishment is
allowed.
■
permit — Specifies the packets that match
the access list description are permitted to be
forward by this switch. An optional QoS profile
can be assigned to the access list, so that the
switch can prioritize packets accordingly.
■
range — Specifies the TCP or UDP port
range.
■
deny — Specifies the packets that match the
access list description are filtered (dropped)
by the switch.
■
ports — Specifies the ingress port(s) on
which this rule is applied.
■
precedence — Specifies the access list
precedence number. The range is 1 to
25,600.
■
log — Logs a message to the Syslog facility
for each packet that matches the access-list
description. The message details the
properties of the packet.
Table 16-1: Access List Configuration Commands (continued)
Command Description