Skip to content

Latest commit

 

History

History
54 lines (44 loc) · 2.83 KB

arista.md

File metadata and controls

54 lines (44 loc) · 2.83 KB
Raw

Arista

The arista header designation has the following format:

target:: arista [filter name] {standard|extended|object-group|inet6}
  • filter name: defines the name of the arista filter.
  • standard: specifies that the output should be a standard access list
  • extended: specifies that the output should be an extended access list
  • object-group: specifies this is a arista extended access list, and that object-groups should be used for ports and addresses.
  • inet6: specifies the output be for IPv6 only filters.

Term Format

  • action:: The action to take when matched. See Actions section for valid options.
  • address:: One or more network address tokens, matches source or destination.
  • comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
  • destination-address:: One or more destination address tokens
  • destination-exclude:: Exclude one or more address tokens from the specified destination-address
  • destination-port:: One or more service definition tokens
  • dscp_match:: Match a DSCP number.
  • expiration:: stop rendering this term after specified date. YYYY-MM-DD
  • icmp-code:: Specifies the ICMP code to filter on.
  • icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
  • logging:: Specify that this packet should be logged via syslog.
  • name:: Name of the term.
  • option:: See platforms supported Options section.
  • owner:: Owner of the term, used for organizational purposes.
  • platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
  • protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
  • source-address:: one or more source address tokens.
  • source-exclude:: exclude one or more address tokens from the specified source-address.
  • source-port:: one or more service definition tokens.
  • verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • is-fragment:: Matches on if a packet is a fragment.
  • tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial:: Only match initial packet for TCP protocol.