Administrator Guide
Access Control Lists 665
[
sequence-number
]
{deny | permit} {every |
{{
ipv4-protocol
|
0-255
| every} {
srcip srcmask
|
any | host
srcip
} [{range
{
portkey
|
startport
}
{
portkey
|
endport
} |
{eq | neq | lt | gt}
{
portkey
|
0-65535
}]
{
dstip dstmask
| any |
host
dstip
} [{range
{
portkey
|
startport
}
{
portkey
|
endport
} |
{eq | neq | lt | gt}
{
portkey
|
0-65535
}]
[flag [+fin | -fin] [+syn
| -syn] [+rst | -rst]
[+psh | -psh] [+ack | -
ack] [+urg | -urg]
[established]] [icmp-
type
icmp-type
[icmp-
code
icmp-code
] | icmp-
message
icmp-message
]
[igmp-type
igmp-type
]
[fragments] [precedence
precedence
| tos
tos
[
tosmask
] | dscp
dscp
]}} [time-range
time-range-name
] [log]
[assign-queue
queue-id
]
[{mirror | redirect}
unit/slot/port
] [rate-
limit
rate burst-size
]
Enter the permit and deny conditions for the extended
ACL.
•
sequence-number
— Identifies the order of application of
the permit/deny statement. If no sequence number is
assigned, permit/deny statements are assigned a sequence
number beginning at 1000 and incrementing by 10.
Statements are applied in hardware beginning with the
lowest sequence number. Sequence numbers apply only
within an access group; i.e., the ordering applies within
the access-group scope. The range for sequence numbers
is 1–2147483647.
•{
deny | permit
} — Specifies whether the IP ACL rule
permits or denies the matching traffic.
•
{
ipv4-protocol
|
number
|
every
} —
Specifies the
protocol to match for the IP ACL rule.
– IPv4 protocols:
eigrp, gre, icmp, igmp, ip, ipinip, ospf,
tcp, udp, pim
–
every
: Match any protocol (don’t care)
•
srcip
srcmask
| any | host
srcip
— Specifies a source IP
address and netmask to match for the IP ACL rule.
– Specifying “any” implies specifying
srcip
as “0.0.0.0”
and
srcmask
as “255.255.255.255” for IPv4.
– Specifying “host A.B.C.D” implies
srcip
as “A.B.C.D”
and
srcmask
as “0.0.0.0”.
•
[{{eq | neq | lt | gt} {
portkey
|
number
} | range
startport endport
}]
— Specifies the layer-4 destination
port match condition for the IP ACL rule. A destination
port number, which ranges from 0-65535, can be entered,
or a
portkey
, which can be one of the following keywords:
domain
,
echo
,
ftp
,
ftp-data
,
http
,
smtp
,
snmp
,
telnet
,
tftp
, and
www
. Each of these keywords translates into its
equivalent destination port number.
Command Purpose