Product guide
10-65
Access Control Lists (ACLs)
Configuring Extended ACLs
< ip | ip-protocol | ip-protocol-nbr >
Used after deny or permit to specify the packet protocol type
required for a match. An extended ACL must include one of
the following:
• ip — any IP packet.
• ip-protocol — any one of the following IP protocol names:
ip-in-ip ipv6-in-ip gre esp ah
ospf pim vrrp sctp tcp*
udp* icmp* igmp*
• ip-protocol-nbr — the IPV4 IP protocol number of an IP packet
type, such as “8” for Exterior Gateway Protocol or 121 for
Simple Message Protocol. (For a listing of IP protocol
numbers and their corresponding protocol names, refer to
the IANA “Protocol Number Assignment Services” at
www.iana.com.) (Range: 0 - 255)
* For TCP, UDP, ICMP, and IGMP, additional criteria can be
specified, as described on pages 10-68 through 10-72.
< any | host < SA > | SA < mask > | SA/ mask-length
This is the first instance of IP addressing in an extended ACE.
It follows the protocol specifier and defines the source IP
address (SA) a packet must carry for a match with the ACE.
• any — Allows IP packets from any SA.
• host < SA > — Specifies only packets having a single address
as the SA. Use this criterion when you want to match only
the IP packets from a single SA.
• SA < mask > or SA/mask-length — Specifies packets received
from an SA, where the SA is either a subnet or a group of IP
addresses. The mask can be in either dotted-decimal format
or CIDR format (number of significant bits). Refer to “Using
CIDR Notation To Enter the ACL Mask” on page 10-50.
SA Mask Application: The mask is applied to the SA in the
ACL to define which bits in a packet’s SA must exactly
match the SA configured in the ACL and which bits need
not match.
Example: 10.10.10.1/24 and 10.10.10.1 0.0.0.255 both
define any IP address in the range of 10.10.10.(1 - 255).
Note: Specifying a group of contiguous IP addresses may
require more than one ACE. For more on how masks operate
in ACLs, refer to “How an ACE Uses a Mask To Screen
Packets for Matches” on page 10-36.