CLI Guide
extended access-lists. This mechanism copies all incoming or outgoing packets on
one port and forwards (mirrors) them to another port. The source port is the
monitored port (MD) and the destination port is the monitoring port (MG).
Related
Commands
deny — configures a filter to drop packets.
permit — configures a filter to forward packets.
seq — assigns a sequence number to a deny or permit filter in an IP access list
while creating the filter.
Extended IP ACL Commands
When an ACL is created without any rule and then applied to an interface, ACL behavior reflects an
implicit permit.
The following commands configure extended IP ACLs, which in addition to the IP address, also examine
the packet’s protocol type.
The switch supports both Ingress and Egress IP ACLs.
NOTE: Also refer to theCommands Common to all ACL Types and Common IP ACL Commands
sections.
deny (for Extended IP ACLs)
Configure a filter that drops IP packets meeting the filter criteria.
Syntax
deny {ip | ip-protocol-number} {source mask | any | host ip-
address} {destination mask | any | host ip-address} [count
[byte]] [dscp value] [order] [monitor] [fragments] [log
[interval minutes] [threshold-in-msgs [count]] [monitor]
To remove this filter, you have two choices:
• Use the no seq sequence-number command if you know the filter’s
sequence number.
• Use the no deny {ip | ip-protocol-number} {source mask | any |
host ip-address} {destination mask | any | host ip-address}
command.
Parameters
source Enter the IP address of the network or host from which the
packets were sent.
178
Access Control Lists (ACL)