R3166-R3206-HP High-End Firewalls Access Control Command Reference-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

10

Table 3 Match criteria and other rule information for IPv4 advanced ACL rules

Parameters Function

Descri

p

tion

source { sour-addr sour-wildcard |

any }

Specifies a source address

The sour-addr sour-wildcard

arguments represent a source IP

address and wildcard mask in

dotted decimal notation. An all-zero

wildcard specifies a host address.

The any keyword specifies any

source IP address.

destination { dest-addr dest-wildcard

| any }

Specifies a destination address

The dest-addr dest-wildcard

arguments represent a destination IP

address and wildcard mask in

dotted decimal notation. An all-zero

wildcard specifies a host address.

The any keyword represents any

destination IP address.

precedence precedence

Specifies an IP precedence

value

The precedence argument can be a

number in the range 0 to 7, or in

words, routine (0), priority (1),

immediate (2), flash (3),

flash-override (4), critical (5),

internet (6), or network (7).

tos tos Specifies a ToS preference

The tos argument can be a number

in the range 0 to 15, or in words,

max-reliability (2), max-throughput

(4), min-delay (8),

min-monetary-cost (1), or normal

(0).

dscp dscp Specifies a DSCP priority

The dscp argument can be a number

in the range 0 to 63, or in words,

af11 (10), af12 (12), af13 (14),

af21 (18), af22 (20), af23 (22),

af31 (26), af32 (28), af33 (30),

af41 (34), af42 (36), af43 (38), cs1

(8), cs2 (16), cs3 (24), cs4 (32), cs5

(40), cs6 (48), cs7 (56), default (0),

or ef (46).

logging Logs matching packets

This function requires that the

module (for example, a firewall) that

uses the ACL supports logging.

reflective

Specifies that the rule be

reflective

A rule with the reflective keyword

can be defined only for TCP, UDP, or

ICMP packets and can only be a

permit statement.

vpn-instance vpn-instance-name

Applies the rule to packets in a

VPN instance

The vpn-instance-name argument

takes a case sensitive string of 1 to

31 characters.

If no VPN instance is specified, the

rule applies only to non-VPN

packets.