Match sequence, Sample access list – ADC CUDA 3 User Manual

Page 343

Advertising
background image

Cuda 12000 IP Access Switch CLI-based Administration Guide

Packet Filtering Considerations and Example

341

With the added permit any rule, only packets from the 172.16.19.20 are
rejected, all others pass. This is because once the permit any condition is
met, no further lines in the access list are read.

Match Sequence

The sequence in which an inbound or outbound packet is matched against
the filter criteria of an interface is determined by the following:

Rule number within access list — Lower rule numbers take
precedence over higher rule numbers. This means that within an access
list, the rule with the lower number is examined first.

Priority of access-list within the access class — When you apply an
access-list to an interface, access lists assigned lower priorities take
precedence over lists assigned higher priorities. This means that within an
access class, the access list with the lower number is examined first.

Sample Access List

The following example configures cable interface 1/1/1 to permit all IP traffic
except Telnet (TCP 23):

cli:172.16.19.10:interface:cable:csi(1/1/1)# access-list 1 deny 1 tcp any eq 23

any any

cli:172.16.19.10:interface:cable:csi(1/1/1)# access-list 1 permit 2 ip any any

cli:172.16.19.10:interface:cable:csi(1/1/1)# show access-list 1

Ac Rule Prot IP Source Mask Source Start End Estab TOS ChTOS

IP Dest Mask Dest Port Port Sync Msk

-- ---- ---- --------------- --------------- ----- ----- ----- --- ------

DE 1 tcp 0.0.0.0 255.255.255.255 23 23 False 0 0

0.0.0.0 255.255.255.255 0 65535 False 0

.. .... .... ............... ............... ..... ..... ..... ... ......

PE 2 ip 0.0.0.0 255.255.255.255 False 0 0

0.0.0.0 255.255.255.255 False 0

.. .... .... ............... ............... ..... ..... ..... ... ......

row count: 2

cli:172.16.19.10:interface:cable:csi(1/1/1)# access-class 1 in priority 1

cli:172.16.19.10:interface:cable:csi(1/1/1)# show access-class

Access List Priority Row

List Direction Status

Number

------ --------- -------- ------

1 in 1 1

row count: 1

cli:172.16.19.10:interface:cable:csi(1/1/1)#

Advertising
Popular Brands
Popular manuals