3com WX1200 3CRWX120695A User Manual
386
C
HAPTER
19: C
ONFIGURING
AND
M
ANAGING
S
ECURITY
ACL
S
For example, the following command permits packets sent from IP
address 192.168.1.5 to 192.168.1.6 with the TCP destination port equal
to 524, a precedence of 7, and a type of service of 15, on an established
TCP session, and counts the number of hits generated by the ACE:
address 192.168.1.5 to 192.168.1.6 with the TCP destination port equal
to 524, a precedence of 7, and a type of service of 15, on an established
TCP session, and counts the number of hits generated by the ACE:
WX1200# set security acl ip acl-4 permit tcp
192.168.1.5 0.0.0.0 192.168.1.6 0.0.0.0 eq 524
precedence 7 tos 15 established hits
192.168.1.5 0.0.0.0 192.168.1.6 0.0.0.0 eq 524
precedence 7 tos 15 established hits
(For information about TOS and precedence levels, see the
Wireless LAN
Switch and Controller Command Reference
. For CoS details, see “Class of
Setting a UDP ACL
The following command filters UDP packets:
set security acl ip acl-name {permit [cos cos] | deny}
udp {source-ip-addr mask | any [operator port [port2]]}
{destination-ip-addr mask | any [operator port [port2]]}
[[precedence precedence] [tos tos] [dscp codepoint]] [before
editbuffer-index | modify editbuffer-index] [hits]
udp {source-ip-addr mask | any [operator port [port2]]}
{destination-ip-addr mask | any [operator port [port2]]}
[[precedence precedence] [tos tos] [dscp codepoint]] [before
editbuffer-index | modify editbuffer-index] [hits]
For example, the following command permits UDP packets sent from IP
address 192.168.1.7 to IP address 192.168.1.8, with any UDP destination
port less than 65,535. It puts this ACE first in the ACL, and counts the
number of hits generated by the ACE.
address 192.168.1.7 to IP address 192.168.1.8, with any UDP destination
port less than 65,535. It puts this ACE first in the ACL, and counts the
number of hits generated by the ACE.
WX1200# set security acl ip acl-5 permit udp
192.168.1.7 0.0.0.0 192.168.1.8 0.0.0.0 lt 65535
precedence 7 tos 15 before 1 hits
192.168.1.7 0.0.0.0 192.168.1.8 0.0.0.0 lt 65535
precedence 7 tos 15 before 1 hits
(For information about TOS and precedence levels, see the
Wireless LAN
Switch and Controller Command Reference
. For CoS details, see “Class of
Determining the ACE
Order
The set security acl command creates a new entry in the edit buffer and
appends the new entry as a rule at the end of an ACL, unless you specify
otherwise. The order of ACEs is significant, because the earliest ACE
takes precedence over later ACEs. To place the ACEs in the correct order,
use the parameters before editbuffer-index and modify
editbuffer-index. The first ACE is number 1.
appends the new entry as a rule at the end of an ACL, unless you specify
otherwise. The order of ACEs is significant, because the earliest ACE
takes precedence over later ACEs. To place the ACEs in the correct order,
use the parameters before editbuffer-index and modify
editbuffer-index. The first ACE is number 1.