Filter
Top Products
C H A P T E R 17 Access Policies
313
or dropped. If no default rule is specified, the default implicit
behavior is to forward the packet.
This example shows a default entry used to specify an implicit deny:
create access-list denyall ip destination 0.0.0.0/0
source 0.0.0.0/0 deny ports any
Once the default behavior of the access list is established, you can
create additional entries with precedence. The optional precedence
numbers range from 1 to 25,600 (number 1 having the highest
precedence).
The access list example below performs packet filtering in the
following order, as determined by the precedence number:
1. Deny UDP port 16 and TCP port 15 traffic to the 10.2.X.X net-
work.
2. All other TCP port 15 traffic destined for other 10.X.X.X net-
works is permitted using QoS profile Qp4.
3. All remaining traffic to 10.2.0.0 uses QoS profile Qp3.
With no default rule specified, all remaining traffic is allowed using
the default QoS profile.
create access-list deny102_16 udp dest 10.2.0.0/8
ip-port 16 source any ip-port any deny ports any
precedence 10
create access-list deny102_15 tcp dest 10.2.0.0/8
ip-port 15 source any ip-port any deny ports any
precedence 20
create access-list allow10_15 tcp dest 10.0.0.0/8
ip-port 15 source any ip-port any permit
qosprofile qp4 ports any precedence 30
create access-list allow102 ip dest 10.2.0.0/8
source 0.0.0.0/0 permit qosprofile qp3 ports any
precedence 40
The Permit-Established Keyword
Access lists support the use of the permit-established keyword.
This keyword allows directional control of attempts to open a TCP
session. You can explicitly permit or block session initiation using