Extreme Networks Summit 300-48 User Manual
Page 113
Using Access Control Lists
Summit 300-48 Switch Software User Guide
113
Table 39: Access Control List Configuration Commands
Command
Description
create access-list <name>
access-mask <access-mask name>
{dest-mac <dest_mac>}
{source-mac <src_mac>}
{vlan <name>}
{ethertype [IP | ARP | <hex_value>]}
{tos <ip_precedence>
| code-point <code_point>}
{ipprotocol
[tcp|udp|icmp|igmp|<protocol_num>]}
{dest-ip <dest_IP>/<mask length>}
{dest-L4port <dest_port>}
{source-ip <src_IP>/<mask length>}
{source-L4port <src_port> | {icmp-type
<icmp_type>} {icmp-code <icmp_code>}}
{egressport <port>}
{ports <portlist>}
[permit {qosprofile <qosprofile>} {set
code-point <code_point>} {set dot1p
<dot1p_value>}
| permit-established
| deny]
Creates an access list. The list is applied to all
ingress packets. Options include:
•
<name>
— Specifies the access control list
name. The access list name can be between
1 and 31 characters.
•
access-mask
— Specifies the associated
access mask. Any field specified in the
access mask must have a corresponding
value specified in the access list.
•
dest-mac
— Specifies the destination MAC
address.
•
source-mac
— Specifies the source MAC
address.
•
vlan
— Specifies the VLANid.
•
ethertype
— Specify IP, ARP, or the hex
value to match.
•
tos
— Specifies the IP precedence value.
•
code-point
— Specifies the DiffServ code
point value.
•
ipprotocol
— Specify an IP protocol, or
the protocol number
•
dest-ip
— Specifies an IP destination
address and subnet mask. A mask length of
32 indicates a host entry.
•
dest-L4port
— Specify the destination
port.
•
source-ip
— Specifies an IP source
address and subnet mask.
•
source-L4port
— Specify the source port.
•
icmp-type
— Specify the ICMP type.
•
icmp-code
— Specify the ICMP code.
•
egressport
— Specify the egress port
•
ports
— Specifies the ingress port(s) on
which this rule is applied.
•
permit
— Specifies the packets that match
the access list description are permitted to be
forward by this switch. An optional QoS profile
can be assigned to the access list, so that the
switch can prioritize packets accordingly.
•
set
— Modify the DiffServ code point and/or
the 802.1p value for matching packets.
•
permit-established
— Specifies a
uni-directional session establishment is
denied.
•
deny
— Specifies the packets that match the
access list description are filtered (dropped)
by the switch.