Result
The composite command can be any command defined in the composite operation list. These
commands are case-sensitive. To view the composite operation list for the access control list
you are working with, use the command show composite-operation in the context of the
access control list.
Example
The following example defines a rule in access control list 301 that denies access to all
incoming packets that contain IP fragments:
Gxxx-001(super)# ip access-control-list 301
Gxxx-001(super/ACL 301)# ip-fragments-in Deny
Done!
Policy rule configuration
You can configure policy rules to match packets based on one or more of the following criteria:
• Source IP address, or a range of addresses
• Destination IP address, or a range of addresses
• IP protocol, such as TCP, UDP, ICMP, or IGMP
• Source TCP or UDP port or a range of ports
• Destination TCP or UDP port or a range of ports
• ICMP type and code
• Fragment
• DSCP
Use IP wildcards to specify a range of source or destination IP addresses. The zero bits in the
wildcard correspond to bits in the IP address that remain fixed. The one bits in the wildcard
correspond to bits in the IP address that can vary. Note that this is the opposite of how bits are
used in a subnet mask.
For access control lists, you can require the packet to be part of an established TCP session.
If the packet is a request for a new TCP session, the packet does not match the rule. You can
also specify whether an access control list accepts packets that have an IP option field.
Related topics:
Editing and creating rules on page 569
Policy lists rule criteria on page 569
Policy lists
568 Administering Avaya G430 Branch Gateway October 2013
Comments? infodev@avaya.com
To Next Page
Loading...
