BigIron RX Series Configuration Guide 535
53-1002253-01
Configuring numbered and named ACLs
21
Parameters to filter TCP or UDP packets
Use the parameters below if you want to filter traffic with the TCP or UDP packets. These
parameters apply only if you entered tcp or udp for the <ip-protocol> parameter. For example, if
you are configuring an entry for HTTP, specify tcp eq http.
<wildcard> Specifies the portion of the source IP host address to match against. The
<wildcard> is a four-part value in dotted-decimal notation (IP address format)
consisting of ones and zeros. Zeros in the mask mean the packet’s source address
must match the <source-ip>. Ones mean any value matches. For example, the
<source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts
in the Class C subnet 209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing
(CIDR) format, you can enter a forward slash after the IP address, then enter the
number of significant bits in the mask. For example, you can enter the CIDR
equivalent of “209.157.22.26 0.0.0.255” as “209.157.22.26/24”. The CLI
automatically converts the CIDR number into the appropriate ACL mask (where
zeros instead of ones are the significant bits) and changes the non-significant
portion of the IP address into zeros. For example, if you specify 209.157.22.26/24
or 209.157.22.26 0.0.0.255, then save the changes to the startup-config file, the
value appears as 209.157.22.0/24 (if you have enabled display of subnet lengths)
or 209.157.22.0 0.0.0.255 in the startup-config file. The IP subnet masks in CIDR
format is saved in the file in “/<mask-bits>” format.
If you use the CIDR format, the ACL entries appear in this format in the
running-config and startup-config files, but are shown with subnet mask in the
display produced by the show access-list command.
dst-mac<dst-mac> |
<mask>
Specify the destination MAC host for the policy. If you want the policy to match on
all destination addresses, enter any.
fragment Enter this keyword if you want to filter fragmented packets. Refer to “Enabling ACL
filtering of fragmented or non-fragmented packets” on page 568.
NOTE: The fragmented and non-fragmented parameters cannot be used together
in an ACL entry.
non-fragment Enter this keyword if you want to filter non-fragmented packets. Refer to “Enabling
ACL filtering of fragmented or non-fragmented packets” on page 568.
NOTE: The fragmented and non-fragmented parameters cannot be used together
in an ACL entry.
first-fragment Enter this keyword if you want to filter only the first-fragmented packets. Refer to
“Enabling ACL filtering of fragmented or non-fragmented packets” on page 568.
fragment-offset <number> Enter this parameter if you want to filter a specific fragmented packets. Enter a
value from 0 – 8191. Refer to “Enabling ACL filtering of fragmented or
non-fragmented packets” on page 568.
NOTE: fragment, non-fragment, first-fragment, and fragment-offset may not be used together in the same ACL
statement.
log Add this parameter to the end of an ACL statement to enable the generation of
SNMP traps and Syslog messages for packets denied by the ACL.You can enable
logging on ACLs and filters that support logging even when the ACLs and filters are
already in use. To do so, re-enter the ACL or filter command and add the log
parameter to the end of the ACL or filter. The software replaces the ACL or filter
command with the new one. The new ACL or filter, with logging enabled, takes
effect immediately.
NOTE: Logging must be enable on the interface to which the ACL is bound before
SNMP traps and Syslog messages can be generated, even if the log
parameter is entered. Refer to “ACL logging” on page 555.
To Next Page
Loading...
