permit [<0-255>| tcp|udp] |
Creates a permit rule, and identifies the protocol type.
This permit rule is applied only to packets matching the protocol specified
here. |
[<SOURCE-NETWORK-IP/MASK>| any| host
<SOURCE-HOST-IP>] |
Specifies the source as any, host, or network
- <SOURCE-NETWORK-IP/MASK> – Configures a network as the source. Provide the
network‘s IPv4 address along with the mask.
- host <SOURCE-HOST-IP> – Configures a single device as the source. Provide
the host device‘s IPv4 address.
- any – Specifies that the source can be any device
|
[<DEST-NETWORK-IP/MASK>| any| host
<DEST-HOST-IP>] |
Specifies the destination as any, host, or network
- <DEST-NETWORK-IP/MASK> – Configures a network as the destination. Provide
the network‘s IPv4 address along with the mask.
- host <DEST-HOST-IP> – Configures a single device as the destination.
Provide the host device‘s IPv4 address.
- any – Specifies that the destination can be any device
|
control-flag <0-63> |
Configures the decimal number (representing a bit
string) that specifies the control flag bits in byte 14 of the TCP header
- <0-63> – Specify a value from 0 - 63.
Note: Control flags can be used only in ACLs designed to filter TCP
traffic.
The TCP header contains several one-bit boolean fields known as
flags that influence flow of data across a TCP connection. Ignoring the CWR and
ECE flags added for congestion notification by RFC 3168, there are six TCP control
flags.
- URG flag - Marks incoming packet as urgent
- ACK flag - Acknowledges receipt of packet
- PUSH flag - Ensures that the packet is given appropriate priority. Often
used at the beginning and end of data transfer.
- RST flag - Resets the connection. Happens when remote host receives a
establish connection packet, but does not have a service waiting to answer and
sends a reply with reset flag.
- SYN flag - Establishes the 3-way handshake between two hosts
- FIN flag - Tears down the connection established between two hosts via the
3-way SYN process
|
destination-port <0-65535> |
Configures the protocol destination port to match. The
destination protocol can be TCP, UDP or any other protocol identified by its number
(<0-255>).
- <0-65535> – Specify the destination port from 0 - 65535.
|
destination-port-bitmark <0-65535> |
Configures the decimal number representing the protocol
destination port bits to match
- <0-65535> – Specify the destination port bits from 0 - 65535.
|
dscp <0-63> |
Configures the DSCP priority level
- <0-63> – Specify a value from 0 - 63.
Note: If specifying DSCP priority, ip-precedence cannot be
specified.
|
ex3500-time-range <TIME-RANGE-NAME> |
Applies a periodic or absolute time range to this
rule
- <TIME-RANGE-NAME> –
Specify the time range name (should be existing and configured). For information
on configuring EX3500 time-range, see ex3500.
|
ip-precedence <0-7> |
Configures the IP header precedence
- <0-7> – Specify a value from 0 - 7.
|
source-port <0-65535> |
Configures the protocol source port to match. The source
protocol can be TCP, UDP or any other protocol identified by its number
(<0-255>).
- <0-65535> – Specify the source port from 0 - 65535.
|
source-port-bitmark <0-65535> |
Configures the decimal number representing the protocol
source port bits to match
- <0-65535> – Specify the source port bits from 0 - 65535.
|
rule-precedence <1-128> |
The following keywords are recursive and common to all
of the above parameters:
|