Command Reference Guide
SROS Command Line Interface Reference Guide Global Configuration Mode Command Set
5991-2114 © Copyright 2005 Hewlett-Packard Development Company, L.P. 250
ip access-list extended <listname>
Use the ip access-list extended command to create an empty access list and enter the extended access-list.
Use the no form of this command to delete an access list and all the entries contained in it.
The following lists the complete syntax for the ip access-list extended commands:
<action> <protocol> <source IP> <source port> <destination ip> <destination port>
Example:
Syntax Description
<listname>
Alphanumeric descriptor for identifying the configured access list (all access list
descriptors are case-sensitive)
<protocol>
Specifies the data protocol such as ip, icmp, tcp, udp, or a specific protocol
(0-255)
<source ip>
Specifies the source IP address used for packet matching
IP addresses can be expressed in one of three ways:
1. Using the keyword
any
to match any IP address. For example, entering
deny
any
will effectively shut down the interface that uses the access list because all
traffic will match the
any
keyword.
2. Using the
host
<A.B.C.D> to specify a single host address. For example,
entering
permit 196.173.22.253
will allow all traffic from the host with an IP
address of 196.173.22.253.
3. Using the <A.B.C.D> <wildcard> format to match all IP addresses in a “range”.
Wildcard masks work in reverse logic from subnet mask. Specifying a one in the
wildcard mask equates to a “don’t care”. For example, entering
deny 192.168.0.0
0.0.0.255
will deny all traffic from the 192.168.0.0/24 network.
Example:
[permit | deny icmp [any | host <A.B.C.D> | <A.B.C.D> <W.W.W.W>]
[any | host <A.B.C.D> | <A.B.C.D> <W.W.W.W>] <icmp-type>* <icmp-code>* <icmp-message>*
* = optional
Source IP Address
Destination IP Address
[permit | deny] [ip | tcp | udp] [any | host <A.B.C.D> | <A.B.C.D> <W.W.W.W>]
<source port>* [any | host <A.B.C.D> | <A.B.C.D> <W.W.W.W>] <destination port>*
Source IP Address
Destination IP Address