Cuda 12000 IP Access Switch CLI-based Administration Guide
Packet Filtering Considerations and Example 341
With the added permit any rule, only packets from the 172.16.19.20 are
rejected, all others pass. This is because once the permit any condition is
met, no further lines in the access list are read.
Match Sequence
The sequence in which an inbound or outbound packet is matched against
the filter criteria of an interface is determined by the following:
■ Rule number within access list — Lower rule numbers take
precedence over higher rule numbers. This means that within an access
list, the rule with the lower number is examined first.
■ Priority of access-list within the access class — When you apply an
access-list to an interface, access lists assigned lower priorities take
precedence over lists assigned higher priorities. This means that within an
access class, the access list with the lower number is examined first.
Sample Access List
The following example configures cable interface 1/1/1 to permit all IP traffic
except Telnet (TCP 23):
cli:172.16.19.10:interface:cable:csi(1/1/1)# access-list 1 deny 1 tcp any eq 23
any any
cli:172.16.19.10:interface:cable:csi(1/1/1)# access-list 1 permit 2 ip any any
cli:172.16.19.10:interface:cable:csi(1/1/1)# show access-list 1
Ac Rule Prot IP Source Mask Source Start End Estab TOS ChTOS
IP Dest Mask Dest Port Port Sync Msk
-- ---- ---- --------------- --------------- ----- ----- ----- --- ------
DE 1 tcp 0.0.0.0 255.255.255.255 23 23 False 0 0
0.0.0.0 255.255.255.255 0 65535 False 0
.. .... .... ............... ............... ..... ..... ..... ... ......
PE 2 ip 0.0.0.0 255.255.255.255 False 0 0
0.0.0.0 255.255.255.255 False 0
.. .... .... ............... ............... ..... ..... ..... ... ......
row count: 2
cli:172.16.19.10:interface:cable:csi(1/1/1)# access-class 1 in priority 1
cli:172.16.19.10:interface:cable:csi(1/1/1)# show access-class
Access List Priority Row
List Direction Status
Number
------ --------- -------- ------
1 in 1 1
row count: 1
cli:172.16.19.10:interface:cable:csi(1/1/1)#