Users Guide
Layer 2 Switching Commands 277
Syntax
[sequence-number]{deny | permit} {ipv4-protocol | 0-255 | every} {srcip
srcmask | any | host srcip} [{range {portkey | startport} {portkey |
endport}} | {eq | neq | lt | gt} {portkey | 0-65535} ] {dstip dstmask | any |
host dstip} [{range {portkey | startport} {portkey | endport}} | {eq | neq |
lt | gt} {portkey | 0-65535}] [flag [+fin | -fin] [+syn | -syn] [+rst | -rst]
[+psh | -psh] [+ack | -ack] [+urg | -urg] [established]] [icmp-type icmp-
type [icmp-code icmp-code] | icmp-message icmp-message] [igmp-type
igmp-type] [fragments] [precedence precedence | tos tos [tosmask] | dscp
dscp]}} [time-range time-range-name] [log] [assign-queue queue-id]
[{mirror | redirect} interface-id] [rate-limit rate burst-size]
no <sequence-number>
•
[sequence-number]
—Identifies the order of application of the
permit/deny statement. If no sequence number is assigned, permit/deny
statements are assigned a sequence number beginning at 1000 and
incrementing by 10. Statements are applied in hardware beginning with
the lowest sequence number. Sequence numbers only have applicability
within an access group, i.e. the ordering applies within the access-group
scope. The range for sequence numbers is 1– 2147483647.
•{deny | permit}–Specifies whether the IP ACL rule permits or denies the
matching traffic.
•
{ipv4-protocol | number| every}—
Specifies the protocol to match for
the IP ACL rule.
– IPv4 protocols: eigrp, gre, icmp, igmp, ip, ipinip, ospf, tcp, udp, pim,
arp, sctp
– number: a protocol number in decimal, for example, 8 for EGP
– every: Match any protocol (don’t care)
•
srcip srcmask | any | host srcip
—Specifies a source IP address and
netmask to match for the IP ACL rule.
– Specifying “any” implies specifying srcip as “0.0.0.0” and srcmask as
“255.255.255.255” for IPv4.
– Specifying “host A.B.C.D” implies srcip as “A.B.C.D” and srcmask as
“0.0.0.0”.