18 deny – CANOGA PERKINS 9175 Command Reference User Manual

Page 603

Advertising
background image

CanogaOS Command Reference

33-12

33.18 deny

Use this command to discard ongoing IP packets matching the IP filter.

Command Syntax

[<1-2147483646>] deny {<0-255> | any } { source source-mask | any | host source } {destination

destination-mask | any | host destination} [ ip-precedence precedence | dscp dscp ] [ fragments ]

[ routed-packet ] [ options ] [ time-range time-range-name ] [ stats ]

<1-2147483646>: the sequence number of the filter in IP ACL. An auto-generated sequence number will

be assigned to the filter if this field is not presented

<0-255>: an IP protocol number

any: any IP protocol

source source-mask: the source IP address and its wildcard bits

any: any source host

host source: the source IP address of a host

destination destination-mask: the destination IP address and its wildcard bits

ip-precedence precedence: match packets with given precedence value

dscp dscp: Match packets with given dscp value

fragments

˖check non-initial fragments

routed-packet: match routed packet

options: match packets with IP options

time-range: the time-range used by the IP filter

stats: statistic function will be enable if this field is presented

Command Mode

IP ACL configuration

Usage

If IP address wildcard bits is provided, the IP address is logically-anded in bitwise with
the reverse bits of the wildcard bits. For example, 10.10.10.0 0.0.0.255 means the
addresses from 10.10.10.0 to 10.10.10.255 are matched.

An auto-generated sequence number will be assigned to the filter if the sequence-num field is not

presented. The auto-generated sequence number is incremented by 10 on the maximum existing

sequence number in the IP ACL. i.e. when the maximum existing sequence number is 100, the

sequence number of subsequent created IP filter is 110.

Examples

This example shows how to create a filter in IP ACL to deny any IP packets.

Switch(config-ip-acl)#1 deny any any any

This example shows how to create a filter in IP ACL to deny the fragment packets with the source IP

addresss 1.1.1.1.

Switch(config-ip-acl)#2 deny any host 1.1.1.1 any fragments

This example shows how to create a filter in IP ACL to deny any routed packets.

Switch(config-ip-acl)#3 deny any any any routed-packet

Advertising
Popular Brands
Popular manuals