Command Line Reference Guide
Access Control Lists (ACL) | 223
Extended IP ACL Commands
When an ACL is created without any rule and then applied to an interface, ACL behavior reflects an
implicit permit.
The following commands configure extended IP ACLs, which in addition to the IP address also
examine the packet’s protocol type.
c and s platforms support Ingress IP ACLs only.
• deny
• deny arp
• deny ether-type
• deny icmp
• deny tcp
• deny udp
• ip access-list extended
• permit
• permit arp
• permit ether-type
• permit icmp
• permit tcp
• permit udp
• resequence access-list
• resequence prefix-list ipv4
• seq arp
• seq ether-type
• seq
deny
c e s
Configure a filter that drops IP packets meeting the filter criteria.
Syntax
deny {ip | ip-protocol-number} {source mask | any | host ip-address} {destination mask |
any | host ip-address} [count [byte] | log] [dscp value] [order] [monitor] [fragments]
To remove this filter, you have two choices:
• Use the no seq sequence-number command syntax if you know the filter’s sequence number or
• Use the no deny {ip | ip-protocol-number} {source mask | any | host ip-address}
{destination mask | any | host ip-address} command.
Parameters
Note: See also Commands Common to all ACL Types and Common IP ACL Commands.
ip Enter the keyword ip to configure a generic IP access list. The keyword ip
specifies that the access list will deny all IP protocols.
ip-protocol-number
Enter a number from 0 to 255 to deny based on the protocol identified in the IP
protocol header.