Access Lists (ACLs)
ExtremeWare XOS 11.3 Concepts Guide
274
entry icmp {
if {
source-address 10.203.134.0/24;
protocol icmp;
icmp-type echo-request;
} then {
deny;
count icmpcnt;
}
}
The following example prevents TCP connections from being established from the 10.10.20.0/24 subnet,
but allows established connections to continue, and allows TCP connections to be established to that
subnet. A TCP connection is established by sending a TCP packet with the SYN flag set, so this example
blocks TCP SYN packets. This example emulates the behavior of the ExtremeWare permit-established
ACL command:
entry permit-established {
if {
source-address 10.10.20.0/24;
protocol TCP;
tcp-flags syn;
} then {
deny;
}
}
The following entry denies every packet and increments the counter default:
entry default {
if {
} then {
deny;
count default;
}
}
The following entry denies IPv6 packets from source addresses in the 2001:db8:c0a8::/48 subnets and to
destination addresses in the 2001:db8:c0a0:1234::/64 subnets:
entry ipv6entry {
if {
source-address 2001:DB8:C0A8:: / 48;
destination-address 2001:DB8:C0A0:1234:: / 64;
} then {
deny;
}
}
Conserving ACL Masks (BlackDiamond 8800 family and Summit X450 switches only)
The BlackDiamond 8800 family and Summit X450 switches have a total of sixteen ACL masks per port
on the switch. To avoid exhausting the masks available on the switch, you must carefully plan your use
of ACL masks.
To Next Page
Loading...