Connectivity Guide
Permit all packets from host
OS10(config)# ip access-list ABC
OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24
OS10(conf-ipv4-acl)# deny ip any any fragment
Permit only rst fragments and non-fragmented packets from
host
OS10(config)# ip access-list ABC
OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any eq 24
OS10(conf-ipv4-acl)# permit tcp host 10.1.1.1 any fragment
OS10(conf-ipv4-acl)# deny ip any any fragment
To log all packets denied and to override the implicit deny rule and the implicit permit rule for TCP/ UDP fragments, use a similar
conguration. When an ACL lters packets, it looks at the FO to determine whether it is a fragment:
• FO = 0 means it is either the rst fragment or the packet is a non-fragment
• FO > 0 means it is the fragments of the original packet
Assign sequence number to lter
IP ACLs lter on source and destination IP addresses, IP host addresses, TCP addresses, TCP host addresses, UDP addresses, and UDP
host addresses. Trac passes through the lter by lter sequence. Congure the IP ACL by rst entering IP ACCESS-LIST mode and then
assigning a sequence number to the lter.
User-provided sequence number
• Enter IP ACCESS LIST mode by creating an IP ACL in CONFIGURATION mode.
ip access-list access-list-name
• Congure a drop or forward lter in IPV4-ACL mode.
seq sequence-number {deny | permit | remark} {ip-protocol-number | icmp | ip | protocol | tcp
| udp} {source prefix | source mask | any | host} {destination mask | any | host ip-address}
[count [byte]] [fragments]
Auto-generated sequence number
If you are creating an ACL with only one or two lters, you can let the system assign a sequence number based on the order you congure
the lters. The system assigns sequence numbers to lters using multiples of ten values.
• Congure a deny or permit lter to examine IP packets in IPV4-ACL mode.
{deny | permit} {source mask | any | host ip-address} [count [byte]] [fragments]
• Congure a deny or permit lter to examine TCP packets in IPV4-ACL mode.
{deny | permit} tcp {source mask] | any | host ip-address}} [count [byte]] [fragments]
• Congure a deny or permit lter to examine UDP packets in IPV4-ACL mode.
{deny | permit} udp {source mask | any | host ip-address}} [count [byte]] [fragments]
884
Access Control Lists