Users Guide
Access Control Lists 727
[sequence-number]
{deny | permit} {{ipv4-
protocol | 0-255 | every}
{srcip srcmask | any |
host srcip} [{range
{portkey | startport}
{portkey | endport} |
{eq | neq | lt | gt}
{portkey | 0-65535}]
{dstip dstmask | any |
host dstip} [{range
{portkey | startport}
{portkey | endport} |
{eq | neq | lt | gt}
{portkey | 0-65535}]
[flag [+fin | -fin] [+syn
| -syn] [+rst | -rst]
[+psh | -psh] [+ack | -
ack] [+urg | -urg]
[established]] [icmp-
type icmp-type [icmp-
code icmp-code] | icmp-
message icmp-message]
[igmp-type igmp-type]
[fragments] [precedence
precedence | tos tos
[tosmask] | dscp
dscp]}} [time-range
time-range-name] [log
]
[assign-queue queue-id]
[{mirror | redirect}
interface] [rate-limit
rate burst-size]
Enter the permit and deny conditions for the extended
ACL.
• sequence-number — Identifies the order of application of
the permit/deny statement. If no sequence number is
assigned, permit/deny statements are assigned a sequence
number beginning at 1000 and incrementing by 10.
Statements are applied in hardware beginning with the
lowest sequence number. Sequence numbers apply only
within an access group; i.e., the ordering applies within
the access-group scope. The range for sequence numbers
is 1–2147483647.
•{deny | permit} — Specifies whether the IP ACL rule
permits or denies the matching traffic.
•
{ipv4-protocol | number |
every
} —
Specifies the
protocol to match for the IP ACL rule.
– IPv4 protocols: eigrp, gre, icmp, igmp, ip, ipinip, ospf,
sctp, tcp, udp, pim, arp, sctp
– number: a protocol number in decimal, e.g. 8 for EGP
– every: Match any protocol (don’t care)
•
srcip srcmask | any | host srcip
— Specifies a source IP
address and netmask to match for the IP ACL rule.
– Specifying “any” implies specifying srcip as “0.0.0.0”
and srcmask as “255.255.255.255” for IPv4.
– Specifying “host A.B.C.D” implies srcip as “A.B.C.D”
and srcmask as “0.0.0.0”.
•
[{{eq | neq | lt | gt} {portkey | number} | range
startport endport}]
— Specifies the layer-4 source or
destination port match condition for the TCP or UDP
ACL rule. A port number, which ranges from 0-65535,
can be entered, or a portkey, which can be one of the
following keywords: domain, echo, ftp, ftp-data, http,
smtp, snmp, telnet, tftp, www, bgp, pop2, pop3, ntp, rip,
time, and who. Each of these keywords translates into its
equivalent port number. A port match is only valid for the
TCP and UDP protocols.
Command Purpose