Access Security Guide K/KA/KB.15.15
This is the second instance of IPv4 addressing in an extended ACE. It follows the
first (SA) instance, described earlier, and defines the destination address (DA) that
a packet must carry in order to have a match with the ACE.
• any
Allows routed IPv4 packets to any DA.
• host<DA>
Specifies only packets having DAas the destination address. Use this criterion
when you want to match only the IPv4 packets for a single DA.
• DA/mask-length or DA<mask>
Specifies packets intended for a destination address, where the address is
either a subnet or a group of addresses. The mask format can be in either
dotted-decimal format or CIDR format (number of significant bits). See “How
an ACE uses a mask to screen packets for matches” (page 322).
DA Mask application
The mask is applied to the DA in the ACL to define which bits in a packet's
DA must exactly match the DA configured in the ACL and which bits need not
match.
[ precedence <0 – 7 ] | [precedence–name>]
This option can be used after the DA to cause the ACE to match packets with the
specified IP precedence value. Values can be entered as the following IP precedence
numbers or alphanumeric names:
0 or routine
1 " priority
2 " immediate
3 " flash
4 " flash-override
5 " critical
6 " internet (for internetwork control)
7 " network (for network control)
Note: The precedence criteria described in this section are applied in addition to
any other selection criteria configured in the same ACE.
[tos < tos-setting >]
This option can be used after the DA to cause the ACE to match packets with the
specified Type-of-Service (ToS) setting. ToS values can be entered as the following
numeric settings or, in the case of 0, 2, 4, and 8, as alphanumeric names:
0 or normal
2 " max-reliability
4 " max-throughput
6
8 " minimize-delay
Note: The ToS criteria in this section are applied in addition to any other criteria
configured in the same ACE.
[ log ]
266 IPv4 Access Control Lists (ACLs)