DGS-1510 Series Gigabit Ethernet SmartPro Switch CLI Reference Guide
53
If a rule entry is created without a sequence number, a sequence number will be automatically
assigned. If it is the first entry, the sequence number 10 is assigned. A subsequent rule entry will be
assigned a sequence number that is 10 greater than the largest sequence number in that access list
and is placed at the end of the list.
The user can use the command access-list sequence to change the start sequence number and
increment number for the specified access list. After the command is applied, the new rule without
specified sequence number will be assigned sequence based new sequence setting of the specified
access list.
When you manually assign the sequence number, it is better to have a reserved interval for future
lower sequence number entries. Otherwise, it will create extra effort to insert an entry with a lower
sequence number.
The sequence number must be unique in the domain of an access-list. If you enter a sequence
number that is already present, an error message will be shown.
Example
This example shows how to use the extended expert ACL. The purpose is to deny all the TCP
packets with the source IP address 192.168.4.12 and the source MAC address 00:13:00:49:82:72.
Switch# configure terminal
Switch(config)# expert access-list extended exp_acl
Switch(config-exp-nacl)# deny tcp host 192.168.4.12 host 0013.0049.8272 any any
Switch(config-exp-nacl)# end
Switch# show access-lists
Extended Expert access list exp_acl(ID: 9999)
10 deny tcp host 192.168.4.12 host 0013.0049.8272 any any
Switch#
4-18 permit | deny (ip access-list)
This command is used to add a permit or a deny entry. Use the no form of this command to remove
an entry.
Extended Access List:
[SEQUENCE-NUMBER] {permit | deny} tcp {any | host SRC-IP-ADDR | SRC-IP-ADDR SRC-IP-
WILDCARD} [{eq | lt | gt | neq} PORT | range MIN-PORT MAX-PORT] {any | host DST-IP-
ADDR | DST-IP-ADDR DST-IP-WILDCARD} [{eq | lt | gt | neq} PORT | range MIN-PORT MAX-
PORT] [TCP-FLAG] [[precedence PRECEDENCE] [tos TOS] | dscp DSCP] [time-range
PROFILE-NAME]
[SEQUENCE-NUMBER] {permit | deny} udp {any | host SRC-IP-ADDR | SRC-IP-ADDR SRC-
IP-WILDCARD} [{eq | lt | gt | neq} PORT | range MIN-PORT MAX-PORT] {any | host DST-IP-
ADDR | DST-IP-ADDR DST-IP-WILDCARD} [{eq | lt | gt | neq} PORT | range MIN-PORT MAX-
PORT] [[precedence PRECEDENCE] [tos TOS] | dscp DSCP] [time-range PROFILE-NAME]
[SEQUENCE-NUMBER] {permit | deny} icmp {any | host SRC-IP-ADDR | SRC-IP-ADDR SRC-
IP-WILDCARD} {any | host DST-IP-ADDR | DST-IP-ADDR DST-IP-WILDCARD} [ICMP-TYPE
[ICMP-CODE] | ICMP-MESSAGE] [[precedence PRECEDENCE] [tos TOS] | dscp DSCP]
[time-range PROFILE-NAME]
[SEQUENCE-NUMBER] {permit | deny} {gre | esp | eigrp | igmp | ipinip | ospf | pcp | pim |
vrrp | protocol-id PROTOCOL-ID} {any | host SRC-IP-ADDR | SRC-IP-ADDR SRC-IP-
WILDCARD} {any | host DST-IP-ADDR | DST-IP-ADDR DST-IP-WILDCARD} [fragments]
[[precedence PRECEDENCE] [tos TOS] | dscp DSCP] [time-range PROFILE-NAME]
[SEQUENCE-NUMBER] {permit | deny} {any | host SRC-IP-ADDR | SRC-IP-ADDR SRC-IP-
WILDCARD} [any | host DST-IP-ADDR | DST-IP-ADDR DST-IP-WILDCARD] [fragments]
[[precedence PRECEDENCE] [tos TOS] | dscp DSCP] [time-range PROFILE-NAME]
To Next Page
Loading...
