Access Control List Commands
4-115
4
permit, deny (Extended ACL)
This command adds a rule to an Extended IP ACL. The rule sets a filter condition for
packets with specific source or destination IP addresses, protocol types, source or
destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Syntax
[no] {permit | deny} [protocol-number | udp]
{any | source address-bitmask | host source}
{any | destination address-bitmask | host destination}
[precedence precedence] [tos tos] [dscp dscp]
[source-port sport [bitmask]] [destination-port dport [port-bitmask]]
[no] {permit | deny} tcp
{any | source address-bitmask | host source}
{any | destination address-bitmask | host destination}
[precedence precedence] [tos tos] [dscp dscp]
[source-port sport [bitmask]] [destination-port dport [port-bitmask]]
[control-flag control-flags flag-bitmask]
• protocol-number – A specific protocol number. (Range: 0-255)
• source – Source IP address.
• destination – Destination IP address.
• address-bitmask – Decimal number representing the address bits to match.
• host – Keyword followed by a specific IP address.
• precedence – IP precedence level. (Range: 0-7)
•tos – Type of Service level. (Range: 0-15)
• dscp – DSCP priority level. (Range: 0-64)
• sport – Protocol* source port number. (Range: 0-65535)
• dport – Protocol* destination port number. (Range: 0-65535)
• port-bitmask – Decimal number representing the port bits to match.
(Range:
0-65535)
• control-flags – Decimal number (representing a bit string) that specifies flag
bits in byte 14 of the TCP header. (Range: 0-63)
• flag-bitmask – Decimal number representing the code bits to match.
* Includes TCP, UDP or other protocol types.
Default Setting
None
Command Mode
Extended ACL
Command Usage
• All new rules are appended to the end of the list.
• Address bitmasks are similar to a subnet mask, containing four integers from
0 to 255, each separated by a period. The binary mask uses 1 bits to indicate
To Next Page
Loading...
Need help?
General