Access-list, Access-list -5 – Carrier Access Adit 3000 Series and Multi-Service Router (MSR) Card none User Manual
Page 131
Adit 3000 (Rel. 1.6) and MSR Card (Rel 2.0) CLI
4-5
Global Configuration Mode
Global Configuration Commands
access-list
Use the access-list command to configure the advanced filtering entries. To delete an access list, see no
access-list command on page 4-37.
Syntax:
(config)# access-list rule {new|
rule-name} apply {eth-lan|
eth-wan|final|initial|ppp-wan} direction {in|out} operation
{accept|accept-packet|drop|reject} time-range {always|
schedule-name} src-host {address|address-range|any} dst-host
{
address|address-range|any} service service-id frag
{enable|none} log {enable|none}
Field
Definition
new
Create a new Access list rule. Note: Do not use this new option when
using an Automated Provisioning System.
rule-name
Enter an existing rule name to apply this command to.
eth-lan
Ethernet LAN interface.
eth-wan
Ethernet WAN interface.
initial
Initial rules defined here will be applied first to the interface.
final
Final rules defined here will be applied last to the interface.
ppp-wan
PPP WAN interface.
in
Filter the incoming traffic only.
out
Filter the outgoing traffic only.
accept
Allow access to packets that match the criteria defined. The data transfer
session will be handled using Stateful Packet Inspection (SPI), meaning
that other packets matching this rule will be automatically allowed access.
accept-list
Allow access to packets that match the criteria defined. The data transfer
session will not be handled using SPI, meaning that other packets
matching this rule will not be automatically allowed access. This can be
useful, for example, when creating rules that follow broadcasting.
drop
Deny access to packets that match the source and destination IP addresses
and service ports defined above.
reject
Deny access to packets that match the criteria defined, and send an ICMP
error or a TCP reset to the origination peer.
always
This rule will always take effect. Default.
schedule-name
Apply the defined schedule times to this rule.
src-host
The source address of packets sent or received from the LAN computer.
This entry is mandatory when denying a rule.
address - enter the source IP address
address-range - enter a range of source IP addresses
any - allow any IP address
dst-host
Destination address of packets sent/received from the network object.
address - enter the destination IP address
address-range - enter a range of destination IP addresses.
any - allow any IP addresses.
service-id
Enter the service number to apply the rule to. Note: Service ID number
can be displayed with the show service command, on page 3-61.