10-63
IPv4 Access Control Lists (ACLs)
Configuring Extended ACLs
Configure ACEs in a Named, Extended ACL and/or Enter the “Named
ACL” (nacl) Context. Configuring ACEs is done after using the ip access-
list standard < name-str > command described on page 10-62 to enter the
“Named ACL” (nacl) context of an ACL. For an extended ACL syntax summary,
refer to table on page 10-59.
Syntax:
(nacl
context)
< deny | permit > < ip | ip-protocol | ip-protocol-nbr >
< any | host < SA > | SA/ mask-length | SA < mask > >
< any | host < DA > | DA/ mask-length | DA < mask > >
[ precedence ] [ tos ] [ log ]
Appends an ACE to the end of the list of ACEs in the current
ACL. In the default configuration, ACEs are automatically
assigned consecutive sequence numbers in increments of 10
and can be renumbered using resequence (page 10-91).
Note: To insert a new ACE between two existing ACEs in an
extended, named ACL, precede deny or permit with an appro-
priate sequence number along with the ACE keywords and
variables you want. (Refer to “Inserting an ACE in an Exist-
ing ACL” on page 10-88.)
For a match to occur, a packet must have the source and
destination addressing criteria specified in the ACE, as well
as:
• the protocol-specific criteria configured in the ACE,
including any included, optional elements (described later
in this section)
• any (optional) precedence and/or ToS settings configured
in the ACE
< deny | permit >
For named ACLs, these keywords are used in the “Named ACL”
(nacl) context to specify whether the ACE denies or permits a
packet matching the criteria in the ACE, as described below.
To Next Page
Loading...
