C H A P T E R 17 Access Policies
317
create access-list <name> tcp destination
[<dst_ipaddress>/<dst_mask> | any] ip-port
[<dst_port> | range <dst_port_min>
<dst_port_max> | any] source
[<src_ipaddress>/<src_mask> | any] ip-port
[<src_port> | range <src_port_min>
<src_port_max> | any] [permit
<qosprofile> | permit-established | deny]
ports [<portlist> | any] {precedence
<precedence_num>} {log}
Creates a named IP access list to look at TCP
port numbers. The access list is applied to all
ingress packets. Options include:
•
<name>—Specifies the access list name.
The access list name can be between 1 and
16 characters.
•
tcp—Specifies an IP access list that looks
at TCP port numbers.
•
destination—Specifies an IP destination
address and subnet mask. A mask length of
32 indicates a host entry. An IP address of
0.0.0.0 is a wildcard and matches all.
•
source—Specifies an IP source address
and subnet mask. An IP address of 0.0.0.0
is a wildcard and matches all.
•
permit-established—Specifies that a
uni-directional session establishment is
allowed.
•
permit—Specifies that the packets
matching the access list description are
permitted to be forwarded by this switch.
An optional QoS profile can be assigned to
the access list, to enable the switch to
prioritize packets accordingly.
•
range—Specifies the TCP or UDP port
range.
•
deny—Specifies that the packets matching
the access list description are filtered
(dropped) by the switch.
•
precedence—Specifies the access list
precedence number. The range is 1 to
25,600.
Table 17.1: Access List Configuration Commands (continued)
Command Description
