Enterasys Networks N Standalone (NSA) Series Switch User Manual


  Open as PDF
of 1372
 
Security Configuration Command Set
Configuring Access Lists
14-166 Matrix NSA Series Configuration Guide
destination Specifies the network or host to which the packet will be
sent. Valid options for expressing destination are:
IP address (A.B.C.D)
any - Any destination host
host source - IP address of a single destination host
destination-
wildcard
(Optional) Specifies the bits to ignore in the destination
address.
icmp-type (Optional) Filters ICMP frames by ICMP message type. The
type is a number from 0 to 255.
icmp-code (Optional) Further filters ICMP frames filtered by ICMP
message type by their ICMP message code. The code is a
number from 0 to 255.
operator port (Optional) Applies access rules to TCP or UDP source or
destination port numbers. Possible operands include:
lt port - Match only packets with a lower port number.
gt port - Match only packets with a greater port number.
eq port - Match only packets on a given port number.
neq port - Match only packets not on a given port
number.
range min-sport max-sport - Match only packets in the
range of source ports
range min-dport max-dport - Match only packets in the
range of destination ports.
tos-extensions (Optional) Applies access rules to the precedence and/or tos
fields, or to the DiffServ field. That is, you can specify one
or both precedence and tos fields, or you can specify the
DiffServ field. Use the following keyword/value pairs to
specify the tos-extensions:
precedence value (0-7) - Match packets based on the IP
precedence value.
tos value (0-15) - Match packets based on the IP Type of
Service value.
dscp value (0-63) - Match packets based on the Diffserv
codepoint value.
established (Optional) Applies TCP restrictions to established
connections only.