Product guide
10-45
Access Control Lists (ACLs)
Configuring and Assigning an ACL
Extended ACL Configuration Structure
Individual ACEs in an extended ACL include:
■ A permit/deny statement
■ Source and destination IP addressing
■ Choice of IP criteria, including optional precedence and ToS
■ Optional ACL log command (for deny entries)
■ Optional remark statements
Figure 10-11. Example of General Structure Options for an Extended ACL
ip access-list extended < identifier >
[ [ seq-# ] remark < remark-str >]
< permit | deny > < ip-type > < SA > < src-acl-mask > < DA > <dest-acl-mask > [log]
< permit | deny > tcp
< SA > < src-acl-mask > [< operator > < port-id >]
< DA > < desti-acl-mask > [< operator > < port-id >] [log]
[ established ]
< permit | deny > udp
< SA > < src-acl-mask > [< operator > < port-id >]
< DA > < dest-acl-mask > [< operator > < port-id >] [log]
< permit | deny > icmp
< SA > < src-acl-mask > < DA > < dest-acl-mask > [ icmp-type ] [log]
< permit | deny > igmp
< SA > < SA-mask > < DA > < dest-acl-mask > [ igmp-type ] [log]
[ precedence < priority >]
[ tos < tos-setting >]
. . .
< Implicit Deny >
exit
Note: The optional log
function appears only
with “deny” ACEs.