Quick Reference Guide
PowerConnect B-Series TI24X Configuration Guide 375
53-1002269-02
Configuring extended named ACLs
13
The IP protocol can be one of the following well-known names or any IP protocol number from 0 –
255:
• Internet Control Message Protocol (ICMP)
• Internet Group Management Protocol (IGMP)
• Internet Gateway Routing Protocol (IGRP)
• Internet Protocol (IP)
• Open Shortest Path First (OSPF)
• Transmission Control Protocol (TCP)
• User Datagram Protocol (UDP)
For TCP and UDP, you also can specify a comparison operator and port name or number. For
example, you can configure a policy to block web access to a specific website by denying all TCP
port 80 (HTTP) packets from a specified source IP address to the website’s IP address.
Extended named ACL syntax
Syntax: [no] ip access-list extended <ACL-name> deny | permit <ip-protocol> <source-ip> |
<hostname> <wildcard> [<operator> <source-tcp/udp-port>] <destination-ip> |
<hostname> [<icmp-num> | <icmp-type>] <wildcard> [<tcp/udp comparison operator>
<destination-tcp/udp-port>] [dscp-marking <0-63> [802.1p-priority-marking <0 –7>... |
[802.1p-and-internal-marking] [internal-priority-marking] [dscp-matching <0-63>] [log]
[precedence <name> | <0 – 7>] [tos <0 – 63> | <name>] [traffic policy <name>]
Syntax: [no] access-list <num> deny | permit host <ip-protocol> any any
Syntax: [no] ip access-group <num> in
The <ACL-name> parameter is the access list name. You can specify a string of up to 256
alphanumeric characters. You can use blanks in the ACL name if you enclose the name in
quotation marks (for example, “ACL for Net1”).
The deny | permit parameter indicates whether packets that match the policy are dropped or
forwarded.
The <ip-protocol> parameter indicates the type of IP packet you are filtering. You can specify a
well-known name for any protocol whose number is less than 255. For other protocols, you must
enter the number. Enter “?” instead of a protocol to list the well-known names recognized by the
CLI.
The <source-ip> | <hostname> parameter specifies the source IP host for the policy. If you want
the policy to match on all source addresses, enter any.
The <wildcard> parameter specifies the portion of the source IP host address to match against.
The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of
ones and zeros. Zeros in the mask mean the packet’s source address must match the
<source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values
209.157.22.26 0.0.0.255 mean that all hosts in the Class C subnet 209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing (CIDR) format,
you can enter a forward slash after the IP address, then enter the number of significant bits in the
mask. For example, you can enter the CIDR equivalent of “209.157.22.26 0.0.0.255” as
“209.157.22.26/24”. The CLI automatically converts the CIDR number into the appropriate ACL