KB.15.15

NOTE: To insert a new ACE between two existing ACEs in an extended, numbered

ACL:

1. Use ip access list extended < 100 - 199 > to open the ACL as a

named ACL.

2. Enter the desired sequence number along with the ACE statement you want.

For a match to occur, a packet must have the source and destination addressing

criteria specified in the ACE, as well as:

• The protocol-specific criteria configured in the ACE, including any included,

optional elements (described later in this section.)

• Any (optional) precedence and/or ToS settings configured in the ACE.

<100-199>

Specifies the ACL ID number. The switch interprets a numeric ACL with a value in

this range as an extended ACL.

Specifies whether to deny ( drop) or permit (forward) a packet that matches the

criteria specified in the ACE, as described below.

Specifies the packet protocol type required for a match. An extended ACL must

include one of the following:

• ip — any IPv4 packet.

• ip-protocol — any one of the following IPv4 protocol names:

ospfpim vrrp sctp tcp*◦

◦ ip-in-ip ipv6-in-ipgre esp ah

◦ udp*icmp* igmp*

* For TCP, UDP, ICMP, and IGMP, additional criteria can be specified, as

described later in this section.

• ip-protocol-nbr — the protocol number of an IPv4 packet type, such as

"8" for Exterior Gateway Protocol or 121 for Simple Message Protocol. (For

a listing of IPv4 protocol numbers and their corresponding protocol names,

see the IANA "Protocol Number Assignment Services" at www.iana.com.)

(Range: 0 - 255)

< any | host < SA> | SA/mask-length | SA < mask> >

272 IPv4 Access Control Lists (ACLs)