Rule-Based IP Access Control Lists (ACLs)
December 2005
© Foundry Networks, Inc.
12 - 15
Extended Named ACL Syntax
Syntax:
[no] ip access-list extended <acl-name>
deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator> <source-tcp/udp-port>]
<destination-ip> | <hostname> [<icmp-num> | <icmp-type>] <wildcard> [<tcp/udp comparison operator>
<destination-tcp/udp-port>] [dscp-cos-mapping ] [dscp-marking <0-63> [802.1p-priority-marking <0 –7>... | dscp-
cos-mapping]] [dscp-matching <0-63>] [log] [precedence <name> | <0 – 7>] [tos <0 – 63> | <name>] [traffic policy
<name>]
Syntax:
[no] access-list <num> deny | permit host <ip-protocol> any any
Syntax:
[no] ip access-group <num> in
The <acl-name> parameter is the access list name. You can specify a string of up to 256 alphanumeric
characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL
for Net1”).
The
deny | permit
parameter indicates whether packets that match the policy are dropped or forwarded.
The <ip-protocol> parameter indicates the type of IP packet you are filtering. You can specify a well-known name
for any protocol whose number is less than 255. For other protocols, you must enter the number. Enter “?”
instead of a protocol to list the well-known names recognized by the CLI.
The <source-ip> | <hostname> parameter specifies the source IP host for the policy. If you want the policy to
match on all source addresses, enter
any
.
The <wildcard> parameter specifies the portion of the source IP host address to match against. The <wildcard> is
a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask
mean the packet’s source address must match the <source-ip>. Ones mean any value matches. For example,
the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C subnet
209.157.22.x match the policy.
If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing (CIDR) format, you can enter a
forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can
enter the CIDR equivalent of “209.157.22.26 0.0.0.255” as “209.157.22.26/24”. The CLI automatically converts
the CIDR number into the appropriate ACL mask (where zeros instead of ones are the significant bits) and
changes the non-significant portion of the IP address into zeros. For example, if you specify 209.157.22.26/24 or
209.157.22.26 0.0.0.255, then save the changes to the startup-config file, the value appears as 209.157.22.0/24
(if you have enabled display of subnet lengths) or 209.157.22.0 0.0.0.255 in the startup-config file.
If you enable the software to display IP subnet masks in CIDR format, the mask is saved in the file in “/<mask-
bits>” format. To enable the software to display the CIDR masks, enter the
ip show-subnet-length
command at
the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of
whether the software is configured to display the masks in CIDR format.
NOTE:
If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config
files, but are shown with subnet mask in the display produced by the
show ip access-list
command.
The <destination-ip> | <hostname> parameter specifies the destination IP host for the policy. If you want the
policy to match on all destination addresses, enter
any
.
The <icmp-type> | <icmp-num> parameter specifies the ICMP protocol type.
•
This parameter applies only if you specified
icmp
as the <ip-protocol> value.
•
If you use this parameter, the ACL entry is sent to the CPU for processing.
•
If you do not specify a message type, the ACL applies to all types of ICMP messages.
The <icmp-num> parameter can be a value from 0 – 255.
The <icmp-type> parameter can have one of the following values, depending on the software version the device is
running:
•
any-icmp-type
Содержание FastIron Edge Switch X424
Страница 36: ...Foundry Configuration Guide for the FESX FSX and FWSX 2 12 Foundry Networks Inc December 2005...
Страница 56: ...Foundry Configuration Guide for the FESX FSX and FWSX 3 20 Foundry Networks Inc December 2005...
Страница 70: ...Foundry Configuration Guide for the FESX FSX and FWSX 4 14 Foundry Networks Inc December 2005...
Страница 198: ...Foundry Configuration Guide for the FESX FSX and FWSX 8 38 Foundry Networks Inc December 2005...
Страница 316: ...Foundry Configuration Guide for the FESX FSX and FWSX 12 26 Foundry Networks Inc December 2005...
Страница 334: ...Foundry Configuration Guide for the FESX FSX and FWSX 13 18 Foundry Networks Inc December 22 2005...
Страница 350: ...Foundry Configuration Guide for the FESX FSX and FWSX 15 12 Foundry Networks Inc December 2005...
Страница 458: ...Foundry Configuration Guide for the FESX FSX and FWSX 18 18 Foundry Networks Inc December 2005...
Страница 712: ...Foundry Configuration Guide for the FESX FSX and FWSX 22 32 Foundry Networks Inc December 2005...
Страница 760: ...Foundry Configuration Guide for the FESX FSX and FWSX A 34 Foundry Networks Inc December 2005...
Страница 796: ...Foundry Configuration Guide for the FESX FSX and FWSX C 18 Foundry Networks Inc December 2005...
Страница 820: ...Foundry Configuration Guide for the FESX FSX and FWSX E 10 Foundry Networks Inc December 2005...