Foundry NetIron M2404C and M2404F Metro Access Switches
Configuring ACLs (Rev. 03)
Overview
© 2008 Foundry Networks, Inc
Page 16 of 50
•
ICMP code in the ICMP packet header (see
Table 9
for valid literal values).
•
VLAN Priority Tag (VPT) in the VLAN tag header.
In order to distinguish between extended Access Control Lists and other types of Access
Control Lists, the extended ACLs are created with acl-number values in the range 100 to 199.
NOTE
An ACL number in the range <100-199> and IGMP protocol should be used only
when IGMP Snooping is disabled. If IGMP Snooping is enabled use ACL numbers
in the range <300-399>. For more information regarding IGMP Snooping see
“
Configuring Multicast Layer 2
”.
Command Syntax
device-name
(config)#
access-list
<
acl-number
>
{
deny
|
permit
}
{
icmp
|
igmp
|
ip
|
tcp
|
udp
| <
protocol number
>}
SOURCE
[
SOURCE-WILDCARD
]
DESTINATION
[
DESTINATION-WILDCARD
] [
tos
<
tos
>] [
precedence
<
precedence
>]
[
vpt
[<
priority
>] [
provider-vlan
<
vlan-id
> <
wildcard mask
>] [
vlan
<
vlan-
id
> <
wildcard mask
>] [
untagged
] [
provider-vpt
<
priority
>]
precedence
<
precedence
>
tos
<
tos
>
device-name
(config)#
no access-list
<
acl-number
>
For ICMP, the user can also use the following syntax:
device-name
(config)#
access-list
<
acl-number
>
{
deny
|
permit
}
icmp SOURCE
[
SOURCE-WILDCARD
]
DESTINATION
[
DESTINATION-WILDCARD
] [<
icmp-type
> [<
icmp-
code
>]] [
tos
<
tos
>] [
precedence
<
precedence
>] [
vpt
<
priority
>]
[
provider-vlan
<
vlan
> <
wildcard mask
>] [
vlan
<
vlan
> <
wildcard mask
>]
[
untagged
] [
provider-vpt
<
priority
>]
precedence
<
precedence
>
tos
<
tos
>
device-name
(config)#
no access-list
<
acl-number
>
For TCP, the user can also use the following syntactic forms:
device-name
(config)#
access-list
<
acl-number
>
{
deny
|
permit
}
tcp SOURCE
[
SOURCE-WILDCARD
] [
eq
<
port
>]
DESTINATION
[
DESTINATION-WILDCARD
] [
eq
<
port
>] [
tos
<
tos
>] [
precedence
<
precedence
>] [
vpt <priority>
]
[
established
]
[
provider-vlan
<
vlan-id
> <
wildcard mask
>] [
vlan
<
vlan-id
>
<
wildcard mask
>] [
untagged
] [
provider-vpt <priority>
]
precedence
<
precedence
>
tos
<
tos
>
device-name
(config)#
no access-list <acl-number>
For UDP, the user can also use the following syntax:
device-name
(config)#
access-list
<
acl-number
>
{
deny
|
permit
}
udp SOURCE
[
SOURCE-WILDCARD
] [
eq
<
port
>]
DESTINATION
[
DESTINATION-WILDCARD
] [
eq
<
port
>] [
tos
<
tos
>] [
vpt
<
priority
>] [
precedence
<
precedence
>] [
provider-
vlan
<
vlan-id
> <
wildcard mask
>] [
vlan
<
vlan-id
> <
wildcard mask
>]
[
untagged
] [
provider-vpt
<
priority
>]
precedence
<
precedence
>
tos
<
tos
>
device-name
(config)#
no access-list
<
acl-number
>
Argument Description
acl-number
Number of the ACL. Valid values are in the range <100-199>.