Syntax:
Extended Access List #>entry <id> source port-range <lower_port> <higher_port>
Example 1:
Extended Access List 100>entry 3 source port-range 2 4
Extended Access List 100>
This entry matches all TCP or UDP packets whose source port is between 2 and 4 (included).
Example 2:
Extended Access List 100>entry 3 protocol icmp
Extended Access List 100>entry 3 source port-range 3 3
Extended Access List 100>
This entry matches all type 3 ICMP packets (destination unreachable), regardless of the code.
2.5.2.5 ENTRY <id> DESTINATION
Establishes the IP parameters sentence under destination addressing.
Syntax:
Extended Access List #>entry <id> destination <parameter> [options]
The following options can be introduced in the IP destination sentence:
Extended Access List #>entry <id> destination ?
address
IP address and mask of the source subnet
port-range
source port range
2.5.2.5.1 ENTRY <id> DESTINATION ADDRESS
Establishes the destination IP address sentence. A mask is used to indicate the selected range of addresses. This
address may not be numbered, meaning you can enter an address associated to an interface that is unknown when
configuring the device. In cases where you want to specify a range of addresses you can, for practical reasons, take
two types of masks into consideration:
Standard subset mask: This corresponds to the masks normally used to define subnets. E.g. 255.255.255.0 (which is
equivalent to a /24 subnet).
Wildcard mask: This can be considered as a generalization of the previous type. Through a wildcard mask you can
delimit, more specifically, the address groups checked with the entry. To do this, the active bits in the wildcard mask
indicate
the exact position of the address bit that must be checked
by the entry. Please check the double examples
in the following table to better understand these concepts:
Address
Wildcard mask
Matching entry
172.24.0.127
255.255.0.255
Matches destination addresses 172.24.x.127 regardless of the value
of x. (E.g. 172.24.12.127)
0.0.0.67
0.0.0.255
Matches destination addresses x.x.x.67, regardless of the x values.
(E.g. 10.150.130.67)
0.0.130.0
0.0.254.0
Matches destination addresses x.x.130.x and x.x.131.x, regardless
of the x values. (E.g. 18.102.130.2, 192.168.131.125)
192.0.125.0
255.0.253.0
Matches destination addresses 192.x.125.x and 192.x.127.x, regard-
less of the x values. (E.g. 192.142.125.8, 192.3.127.135)
192.0.125.0
254.0.253.0
Matches destination addresses 192.x.125.x, 193.x.125.x,
192.x.127.x and 193.x.127.x, regardless of the x values. (E.g.
192.222.125.44, 193.111.127.201)
So that the user better understands the concepts associated to wildcard configuration,
the positions of the mask bits
whose values are 0, must also be 0 in the address.
Otherwise, the device will issue an error message and suggest
an address that adapts to the mask provided. The user must check whether this address matches the required con-
figuration.
For example, if you try to enter address 172.24.155.130 in the command with mask 255.255.254.255, the device will
issue an error message. This is because the last bit in the mask's third octet (254) does not match the one in the ad-
dress (155). In this case, the device will suggest address 172.24.154.130.
When configuring an IP address, you must enter the IP address and the mask. When configuring an interface, you
2 Configuration
bintec elmeg
16
Access Control
