Manualshelf

Quick Reference Guide

ManualsBrandsDell ManualsComputer equipmentPowerConnect B-TI24x
401402403404405406407408409410
PowerConnect B-Series TI24X Configuration Guide 375
53-1002269-02
Configuring extended named ACLs
13
The IP protocol can be one of the following well-known names or any IP protocol number from 0 –
255:
Internet Control Message Protocol (ICMP)
Internet Group Management Protocol (IGMP)
Internet Gateway Routing Protocol (IGRP)
Internet Protocol (IP)
Open Shortest Path First (OSPF)
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
For TCP and UDP, you also can specify a comparison operator and port name or number. For
example, you can configure a policy to block web access to a specific website by denying all TCP
port 80 (HTTP) packets from a specified source IP address to the website’s IP address.
Extended named ACL syntax
Syntax: [no] ip access-list extended <ACL-name> deny | permit <ip-protocol> <source-ip> |
<hostname> <wildcard> [<operator> <source-tcp/udp-port>] <destination-ip> |
<hostname> [<icmp-num> | <icmp-type>] <wildcard> [<tcp/udp comparison operator>
<destination-tcp/udp-port>] [dscp-marking <0-63> [802.1p-priority-marking <0 –7>... |
[802.1p-and-internal-marking] [internal-priority-marking] [dscp-matching <0-63>] [log]
[precedence <name> | <0 – 7>] [tos <0 – 63> | <name>] [traffic policy <name>]
Syntax: [no] access-list <num> deny | permit host <ip-protocol> any any
Syntax: [no] ip access-group <num> in
The <ACL-name> parameter is the access list name. You can specify a string of up to 256
alphanumeric characters. You can use blanks in the ACL name if you enclose the name in
quotation marks (for example, “ACL for Net1”).
The deny | permit parameter indicates whether packets that match the policy are dropped or
forwarded.
The <ip-protocol> parameter indicates the type of IP packet you are filtering. You can specify a
well-known name for any protocol whose number is less than 255. For other protocols, you must
enter the number. Enter “?” instead of a protocol to list the well-known names recognized by the
CLI.
The <source-ip> | <hostname> parameter specifies the source IP host for the policy. If you want
the policy to match on all source addresses, enter any.
The <wildcard> parameter specifies the portion of the source IP host address to match against.
The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of
ones and zeros. Zeros in the mask mean the packet’s source address must match the
<source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values
209.157.22.26 0.0.0.255 mean that all hosts in the Class C subnet 209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing (CIDR) format,
you can enter a forward slash after the IP address, then enter the number of significant bits in the
mask. For example, you can enter the CIDR equivalent of “209.157.22.26 0.0.0.255” as
“209.157.22.26/24”. The CLI automatically converts the CIDR number into the appropriate ACL