Cisco 10000 User Manual

Page 488

Advertising
background image

22-4

Cisco 10000 Series Router Software Configuration Guide

OL-2226-23

Chapter 22 Configuring Template ACLs

Configuration Tasks for Template ACLs

dstip
<dest_ipaddr\subnet_mask>

Enables destination-IP-address filtering. Applies to packets
whose destination address matches the value of <dest_ipaddr>.
If a subnet mask portion of the address is present, the router
compares only the masked bits. If you set <dest_ipaddr> to
0.0.0.0, or if this keyword is not present, the filter matches all IP
packets.

srcp<src_ipaddr\subnet_mask>

Enables source-IP-address filtering. Applies to packets whose
source address matches the value of <src_ipaddr>. If a subnet
mask portion of the address is present, the router compares only
the masked bits. If you set <src_ipaddr> to 0.0.0.0, or if this
keyword is not present, the filter matches all IP packets.

<proto>

Specifies a protocol specified as a name or a number. Applies to
packets whose protocol field matches this value. Possible names
and numbers are icmp (1), tcp (6), udp (17), and ospf (89). If you
set this value to zero (0), the filter matches any protocol.

dstport <cmp> <value>

Enables destination-port filtering. This keyword is valid only
when <proto> is set to tcp (6) or udp (17). If you do not specify
a destination port, the filter matches any port.

<cmp> defines how to compare the specified <value> to the
actual destination port. This value can be <, =, >, or !.

<value> can be a name or a number. Possible names and numbers
are ftp-data (20), ftp (21), telnet (23), nameserver (42), domain
(53), tftp (69), gopher (70), finger (79), www (80), kerberos
(88), hostname (101), nntp (119), ntp (123), exec (512), login
(513), cmd (514), and talk (517).

srcportcmp <cmp> <value>

Enables source-port filtering. This keyword is valid only when
<proto> is set to tcp (6) or udp (17). If you do not specify a
source port, the filter matches any port.

<cmp> defines how to compare the specified <value> to the
actual destination port. This value can be <, =, >, or !.

<value> can be a name or a number. Possible names and numbers
are ftp-data (20), ftp (21), telnet (23), nameserver (42), domain
(53), tftp (69), gopher (70), finger (79), www (80), kerberos
(88), hostname (101), nntp (119), ntp (123), exec (512), login
(513), cmd (514), and talk (517).

<est>

When set to 1, specifies that the filter matches a packet only if a
TCP session is already established. This argument is valid only
when <proto> is set to tcp (6).

Table 22-1

IP Data Filter Syntax Elements (continued)

Element

Description

Advertising
Popular Brands
Popular manuals