ACS Packet Filter Configuration Mode Commands

ACS Packet Filter Configuration Mode Commands
 
 
The ACS Packet Filter Configuration Mode is used to create and configure ACS packet filters.
 
note_smallImportant: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
 
direction
This command configures the direction in which the filter has to be applied.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
direction { bi-directional | downlink | uplink }
default direction
default
Applies the default configuration.
Default: bi-directional
bi-directional
Specifies that the filter is to be applied in both uplink and downlink directions.
downlink
Specifies that the filter is to be applied only in the downlink direction.
uplink
Specifies that the filter is to be applied only in the uplink direction.
Usage
Use this command to configure the direction in which the filter has to be applied.
Example
The following command configures the filter in the downlink direction:
direction downlink
 
end
Exits the current configuration mode and returns to the Exec mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
end
Usage
Use this command to return to the Exec mode.
 
exit
Exits the current mode and returns to the parent configuration mode.
Product
All
Privilege
Security Administrator, Administrator
Syntax
exit
Usage
Use this command to return to the parent configuration mode.
 
ip local-port
This command configures the IP 5-tuple local port parameter for the packet filter.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
ip local-port { = port_number | range start_port_number to end_port_number }
no ip local-port
no
Removes the local-port configuration, if previously configured.
= port_number
Specifies the port number of the transport protocol.
port_number must be the port number, and must be an integer from 1 through 65535.
range start_port_number to end_port_number
range specifies a range of port numbers.
start_port_number and end_port_number must be integers from 1 through 65535. end_port_number must be greater than start_port_number.
Usage
Use this command to configure a specific or range of IP local port parameter for a packet filter.
Example
The following command configures the IP local port as 456:
ip local-port = 456
 
ip protocol
This command configures the IP protocol parameter for the packet filter.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
In StarOS 8.x releases:
ip protocol { = protocol_number | range start_protocol_number to end_protocol_number }
no ip protocol
In StarOS 9.0 and later releases:
ip protocol = protocol_number
no ip protocol
no
Removes the IP protocol configuration, if previously configured.
= protocol_number
Specifies the transport protocol field in the IP header.
protocol_number must be the numerical value of the protocol, and must be an integer from 1 through 255.
range start_protocol_number to end_protocol_number
note_smallImportant: In StarOS 9.0 and later releases this keyword is obsolete.
range specifies a range of protocol assignment numbers.
start_protocol_number and end_protocol_number must be integers from 1 through 255. end_protocol_number must be greater than start_protocol_number.
Usage
Use this command to configure the protocol parameter for a packet filter.
Example
The following command configures the protocol assignment number 300:
ip protocol = 300
ip remote-address
This command configures the IP remote address parameter for the packet filter.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
In StarOS 8.x releases:
ip remote-address { = { ip_address | ip_address/mask } | range { ip_address | ip_address/mask } to { ip_address | ip_address/mask } }
no ip remote-address
In StarOS 9.0 and later releases:
ip remote-address = { ip_address | ip_address/mask }
no ip remote-address
no
Removes the remote address configuration, if previously configured.
= { ip_address | ip_address/mask }
ip_address specifies the IP address in IPv4 dotted decimal or IPv6 colon separated notation format.
ip_address/mask specifies the IP address in IPv4 dotted decimal or IPv6 colon separated notation format, and the number of subnet bits representing the subnet mask in shorthand.
range { start_ip_address | start_ip_address/mask } to { end_ip_address | end_ip_address/mask }
note_smallImportant: In StarOS 9.0 and later releases this keyword is obsolete.
range specifies a range of IP addresses.
start_ip_address and end_ip_address specify, for the range, the starting and ending IP address in IPv4 dotted decimal or IPv6 colon separated notation format. end_ip_address must be greater than start_ip_address.
start_ip_address/mask and end_ip_address/mask specify, for the range, the starting and ending IP address in IPv4 dotted decimal or IPv6 colon separated notation format, and the number of subnet bits representing the subnet mask in shorthand. end_ip_address/mask must be greater than start_ip_address/mask.
Usage
Use this command to configure the remote IP address parameter for a packet filter.
Example
The following command configures the IP remote address as 1.2.3.4/24:
ip remote-address = 1.2.3.4/24
 
ip remote-port
This command configures the IP remote port parameter for the packet filter.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
ip remote-port { = port_number | range start_port_number to end_port_number }
no ip remote-port
no
Removes the remote port configuration, if previously configured.
= port_number
Specifies port number of the transport protocol.
port_number must be the port number, and must be an integer from 1 through 65535.
range start_port_number to end_port_number
Specifies a range of port numbers.
start_port_number and end_port_number must be integers from 1 through 65535. end_port_number must be greater than start_port_number.
Usage
Use this command to configure a specific or range of IP remote port settings for a packet filter.
Example
The following command configures the IP remote port as 789:
ip remote-port = 789
 
priority
This command configures the packet filter’s priority.
note_smallImportant: This command is deprecated in certain 9.0 release and in 10.0 and later releases. The precedence values of packet filters (those from Dynamic Rules, and those from Predefined Rules) are assigned by the PCEF based on an internal process.
Product
ACS
Privilege
Security Administrator, Administrator
Syntax
priority priority
no priority
no
Removes the priority configuration, if previously configured.
priority
Specifies this packet filter’s priority, and must be an integer from 0 through 255.
Usage
Use this command to configure the packet filter’s priority. The priority must be configured for the packet filter to be used in a TFT. Packets are compared against packet filters in a prioritized fashion, with 0 being the highest priority. Without this setting, this filter will not be used.
Example
The following command configures the packet filter’s priority as 3:
priority 3
 
 
Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883