Support User Manuals

AMX NXA-ENET24 Switch User Manual

Open as PDF

of 304

CLI (Command Line Interface)

212

NXA-ENET24 - Software Management Guide

IP ACL Commands (Cont.)

Command Function

permit, deny

(Extended ACL - Cont.)

Command Usage: All new rules are appended to the end of the list.

Address bitmasks are similar to a subnet mask, containing four integers

from 0 to 255, each separated by a period. The binary mask uses 1 bits to

indicate “match” and 0 bits to indicate “ignore.” The bitmask is bitwise

ANDed with the specified source IP address, and then compared with the

address for each IP packet entering the port(s) to which this ACL has been

assigned.

You can specify both Precedence and ToS in the same rule. However, if

DSCP is used, then neither Precedence nor ToS can be specified.

The control-code bitmask is a decimal number (representing an equivalent

bit mask) that is applied to the control code. Enter a decimal number,

where the equivalent binary bit “1” means to match a bit and “0” means to

ignore a bit. The following bits may be specified:

• 1 (fin) – Finish

• 2 (syn) – Synchronize

•4 (rst) – Reset

•8 (psh) – Push

• 16 (ack) – Acknowledgement

• 32 (urg) – Urgent pointer

For example, use the code value and mask below to catch packets with the

following flags set:

• SYN flag valid, use “control-code 2 2”

• Both SYN and ACK valid, use “control-code 18 18”

• SYN valid and ACK invalid, use “control-code 2 18”

Example:

This example accepts any incoming packets if the source address is within

subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0

& 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0),

the packet passes through:

Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any

Console(config-ext-acl)#

Example:

This allows TCP packets from class C addresses 192.168.1.0 to any desti-

nation address when set for destination TCP port 80 (i.e., HTTP):

Console(config-ext-acl)#permit 192.168.1.0 255.255.255.0 any

destination-port 80

Console(config-ext-acl)#

Example:

This permits all TCP packets from class C addresses 192.168.1.0 with the

TCP control code set to “SYN:

Console(config-ext-acl)#permit tcp 192.168.1.0 255.255.255.0

any control-flag 2 2

Console(config-ext-acl)#

previous next