78 ACL Commands
Default Configuration
No IPv4 ACL is defined.
Command Mode
IP-Access List Configuration mode.
User Guidelines
• Use the
ip access-list
Global Configuration mode command to enable the IP-Access List
Configuration mode.
• Before an Access Control Element (ACE) is added to an ACL, all packets are permitted. After an ACE
is added, an implied
deny-any-any
condition exists at the end of the list and those packets that do not
match the conditions defined in the permit statement are denied.
Example
The following example shows how to define a permit statement for an IP ACL.
deny (IP)
The deny IP-Access List Configuration mode command denies traffic if the conditions defined in the
deny statement match.
Syntax
•
deny
[
disable-port
] {
any
|
protocol
} {
any
|{
source source-wildcard
}} {
any
|{
destination destination-
wildcard
}} [
dscp
number
|
ip-precedence
number
]
•
deny-icmp
[
disable-port
] {
any
|{
source source-wildcard
}} {
any
|{
destination destination-wildcard
}}
{
any
|
icmp-type
} {
any
|
icmp-code
} [
dscp
number
|
ip-precedence
number
]
•
deny-igmp
[
disable-port
] {
any
|{
source source-wildcard
}} {
any
|{
destination destination-wildcard
}}
{
any
|
igmp-type
} [
dscp
number
|
ip-precedence
number
]
•
deny-tcp
[
disable-port
] {
any
|{
source source-wildcard
}} {
any
|
source-port
} {
any
|{
destination
destination-wildcard
}} {
any
|
destination-port
} [
dscp
number
|
ip-precedence number
] [
flags
list-of-
flags
] [
src-port-wildcard
source-port-wildcard
] [
dst-port-wildcard
source-port-wildcard
]
•
deny-udp
[
disable-port
] {
any
|{
source source-wildcard
}} {
any
|
source-port
} {
any
|{
destination
destination-wildcard
}} {
any
|
destination-port
} [
dscp
number
|
ip-precedence
number
] [
src-port-
wildcard
source-port-wildcard
] [
dst-port-wildcard
source-port-wildcard
Console(config)# ip access-list ip-acl1
Console(config-ip-al)# permit rsvp 192.1.1.1 0.0.0.0 any dscp 56
5400_CLI.book Page 78 Wednesday, December 17, 2008 4:33 PM