config

Use the config command to modify an existing AP or AC filter rule for this <named-role>. The config command is accessible from within the vnsmode:<default-role>:acfilters and vnsmode:<default-role>:apfilters contexts.

config [pos] proto protocol eth ether-type mac MAC address (ipaddress/mask | IPv6 | interface-subnet | interface-ip | any) [(port port [port]) | (type-code type [type])] in (none|src|dst|both) out (none|src|dst|both) (allow | deny | none | contain2vlan vlan-id | redirect) priority (0-7 | none) tos-dscp (0-FF/(FF|FE|FC|F8|F0|E0|C0|80)|none) cos (named cos|none) traffic-mirror (<none|enable|prohibited>)

Use the following syntax to modify an existing AP or AC application ID filter rule.

config pos application app_id in (none|apply) out (none|apply) (allow | deny | none |contain2vlan vlan-id | redirect ) cos (<named cos>|none) traffic-mirror (<none|enable|prohibited>)

Use the following syntax to modify a custom application in the L7 layer of the filter rule definition for an AP or AC filter list.

config pos app-signature app_id group group name name | hostname app name in (none|apply) out (none|apply) (allow | deny | none | contain2vlan vlan-id | redirect) cos (named cos|none) traffic-mirror (none|enable|prohibited)

Parameters

pos Specifies a position value for this filter in the filter list. Valid values are from 0 - 255.
proto protocol Specifies the protocol for this filter rule by number or name. Valid number values are from 0 - 255. Valid name values are:
  • udp - UDP protocol
  • tcp - TCP protocol
  • ah - Authentication Header protocol
  • esp - Encapsulating Security Payload protocol
  • icmp - ICMP protocol
  • icmpv6 - ICMP-IPv6 protocol
  • any - Any protocol
  • gre - Generic Route Encapsulation protocol
  • 0-255 - number value of protocol
eth ether-type ether-type: 4 hex digits from 0001~FFFF, or any.

The following well known values are converted into hex values, IPv4,ARP,RARP,DECnet Phase IV,AppleTalk (EtherTalk), AppleTalk Address Resolution Protocol (AARP), Novell IPX (alt), Novell, Profinet, and IPv6.

Note: IPv6 is supported for Layer 2 bridging for both B@AC and B@AP topologies.
mac MAC address MAC address: MAC or CIDR address, or any.
ipaddress/mask

IPv6 interface-subnet

interface-ip

any

The IP address and/or mask for this filter rule.

The IP address is in IPv6 format.

Use the IP address and mask configured for the associated topology for this filter rule.

Use the IP address of the associated topology for this filter rule.

Use any IP address or mask for this filter rule.

port port [ port] Specifies a TCP or UDP port or port range to which this filter rule will be applied. The first port value specifies either the port or the start of a port range. The second port value optionally specifies the end of a range. This parameter is valid only when either TCP or UDP is the specified protocol. Valid port values are from 0 - 65535.
type-code type [ type] Specifies an ICMP type code or range of ICMP type codes. The first type value specifies either the ICMP type code or the start of a type code range. The second type value optionally specifies the end of a type code range. This parameter is valid only when ICMP is the specified protocol. Valid type values are from 0 - 255.
in (none |src | dst | both) Specifies the direction of packet flow. — in specifies a packet flow from the AP to the AC.

none specifies that the in direction will not be used as matching criteria in the filter rule.

dst specifies that the IP address for this filter rule is the destination of the packet flow.

src specifies that the IP address for this filter rule is the source of the packet flow.

both specifies that the IP address for this filter rule can be either source or destination.

out (none | src | dst | both) Specifies the direction of packet flow. — out specifies a packet flow from the AC to the AP.

none specifies that the out direction will not be used as matching criteria in the filter rule.

dst specifies that the IP address for this filter rule is the destination of the packet flow.

src specifies that the IP address for this filter rule is the source of the packet flow.

both specifies that the IP address for this filter rule can be either source or destination.

allow | deny | none | contain2vlan vlan-id | redirect Specifies whether packets are allowed or denied (or ignored), or put in the containment VLAN (you must specify the VLAN by its ID), or redirected when meeting the criteria specified in the filter rule.
priority (0-7 | none) Specifies the packet priority. Valid values are 0-7; the highest priority is 7. Specifying none means priority level will not be used as matching criteria in this CoS.
tos-dscp (tos-dscp value/mask value | none) Specifies the type of service in the filter rule. Valid values are 0-FF for ToS/DSCP and FF|FE|FC|F8|F0|E0|C0|80 for mask. Specifying none means tos/dscp value is not used as matching criteria in the filter rule.
cos (named-cos| none) Specifies the class of service in the filter rule. The named-cos must already be created by the create command in the cos context. Specifying none means CoS is not used as matching criteria in the filter rule.
traffic-mirror Specifies the behavior applied to a traffic mirror:

none specifies the filter rule is not configured for traffic mirror.

enable specifies that the traffic rule is enabled for traffic mirror

prohibited specifies that the traffic rule is prohibited for traffic mirror.

application app_id Specifies an application on the filter rule definition.
app-signature app_id Specifies a custom application on the L7 layer of the filter definition rule.
group group Specifies the pre-defined group, of which the (L7) custom application is a member.
name app name Specifies the application name for the (L7) custom application.
hostname app name Indicates that the custom application type is hostname. The (L7) custom application authenticates based on a user defined IP/subnet parameter in the Layer 3 configuration. This configuration allows mobile clients to authenticate using credentials from a specific host. For more information, see the ExtremeWireless User Guide.

Usage

If the specified rule position already contains a filter rule, the config command overwrites the existing rule. Use the create command to insert or append a rule at the specified position.

Examples

The following example overwrites a pre-existing filter rule 1 with a rule that allows ICMP traffic types 9 through 31 in both directions for the associated topology‘s interface subnet and mask:

EWC.extremenetworks.com:vnsmode:p1:acfilters# config 1 proto icmp interface-subnet type 9 31 in dst out src allow
EWC.extremenetworks.com:vnsmode:p1:acfilters# apply
EWC.extremenetworks.com:vnsmode:p1:acfilters# show
Enable AP filtering: disable
filter 1 proto icmp interface-subnet type 9 31 in dst out src allow
filter 2 proto udp 192.168.10.0 255.255.255.0 port 10 2000 in dst out src allow
filter 3 (default) proto none 0.0.0.0  all_ports in dst out none allow
filter 4 (default) proto none 0.0.0.0  all_ports in none out src allow

The following example configures a filter rule that sets a ToS-DSCP as B8/FF and CoS as HTTP Traffic (note the quotes around the CoS name because of the space):

EWC.extremenetworks.com:vnsmode:Auth:acfilters# config 1 proto tcp 192.168.0.0/32 in dst out src none priority none tos-dscp B8/FF cos “HTTP Traffic”