User Manual
Setting value Description
A.B.C.D E.F.G.H
Specifies an IPv4 address (A.B.C.D) with
wildcard bits (E.F.G.H)
A.B.C.D/X
Specifies an IPv4 address (A.B.C.D) with subnet
mask length (Xbit)
host A.B.C.D Specifies a single IPv4 address (A.B.C.D)
any Applies to all IPv4 addresses
dst-port : <0-65535>
If PROTOCOL is specified as tcp or udp, this specifies the destination port number <0-65535> that is
the condition. This can also be omitted.
Method of specifying Description
eq X Specify port number (X)
range X Y Specify port numbers (X) through (Y)
[Initial value]
none
[Input mode]
global configuration mode
[Description]
Generates an extended IPv4 access list.
This is useful when you want to filter with more detail (specific protocols + destination information) than the standard IPv4
access list.
Multiple conditions (maximum 39) can be specified for the generated access list.
To apply the generated access list, use the "ip access-group" command of interface mode.
The "no access-list ext-ip-acl-id action protocol src-info [src-port] dst-info [dst-port]" syntax deletes the extended IPv4 address
list that matches all conditions.
The "no access-list ext-ip-acl-id" syntax deletes the extended IPv4 access list that matches ext-ip-acl-id.
[Note]
An access list that is applied to a LAN/SFP port cannot be deleted using the "no" syntax. You must first cancel the application,
and then delete the access list.
The extended IPv4 access list IDs are shared with the MAC access list IDs. This means that if the specified ID is being used by
a MAC access list, it is handled as a command error.
For both src-port and dst-port, you can use "range" to specify a range; however for the entire system, only one extended IPv4
access list that specifies a range in this way can be applied to the interface by using the "ip access-group" command.
[Example]
Create access list #100 that permits communication from the source segment 192.168.1.0/24 to the destination 172.16.1.1.
SWP1(config)#access-list 100 permit any 192.168.1.0 0.0.0.255 host 172.16.1.1
Delete extended IPv4 access list #100.
SWP1(config)#no access-list 100
13.1.5 Add comment to extended IPv4 access list
[Syntax]
access-list ext-ip-acl-id remark line
no access-list ext-ip-acl-id remark
[Parameter]
ext-ip-acl-id : <100-199>, <2000-2699>
170 | Command Reference |
Traffic control