5000 Series Layer 2/3 Managed Data Center Switch CLI Reference Guide
1196
IP Access Control List Commands
This section describes the commands you use to configure IP Access Control List (ACL) settings. IP
ACLs ensure that only authorized users have access to specific resources and block any unwarranted
attempts to reach network resources.
The following rules apply to IP ACLs:
•
D-LINK OS software does not support IP ACL configuration for IP packet fragments.
•
The maximum number of ACLs you can create is hardware dependent. The limit applies to all
ACLs, regardless of type.
•
The maximum number of rules per IPACL is hardware dependent.
•
If an MAC ACL is configured on an interface, you cannot configure an IP ACL on the same
interface.
•
Wildcard masking for ACLs operates differently from a subnet mask. A wildcard mask is in
essence the inverse of a subnet mask. With a subnet mask, the mask has ones (1's) in the bit
positions that are used for the network address, and has zeros (0's) for the bit positions that are
not used. In contrast, a wildcard mask has (0's) in a bit position that must be checked. A1 in a bit
position of the ACL mask indicates the corresponding bit can be ignored.
12-72 access-list
This command creates an IP Access Control List (ACL) that is identified by the access list number, which
is 1-99 for standard ACLs or 100-199 for extended ACLs.
Note:
IPv4 extended ACLs have the following limitations for egress ACLs:
•
Match on port ranges is not supported.
•
The rate-limit command is not supported.
Use the
no
command to delete an IP ACL that is identified by the parameter accesslistnumber from the
system. The range for accesslistnumber 1-99 for standard access lists and 100-199 for extended access
lists.
IP Standard ACL:
access-list 1-99 {remark comment} | {[sequence-number]} [rule 1-1023] {deny | permit} {every |
srcip srcmask} [log] [time-range time-range-name][assign-queue queue-id] [{mirror | redirect}
slot/port] [redirectExtAgent agent-id] [rate-limit rate burst-size]
IP Extended ACL:
access-list 100-199 { remark comment} | {[sequence-number]} [rule 1-1023] {deny | permit} {every
| {{eigrp | gre | icmp | igmp | ip | ipinip | ospf | pim | tcp | udp | 0-255} {srcip srcmask | any | host
srcip} [range {portkey | startport} {portkey | endport} {eq | neq | lt | gt} {portkey | 0-65535} {dstip
dstmask | any | host dstip}[{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt}
{portkey | 0-65535}] [flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | -ack] [+urg | -
urg] [established]] [icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message]
[igmp-type igmp-type] [fragments] [precedence precedence | tos tos [tosmask] | dscp dscp]}}
[time-range time-range-name] [log] [assign-queue queue-id] [{mirror | redirect} slot/port] [rate-
limit rate burst-size]
no access-list accesslistnumber [rule 1-1023]