10-53
IPv4 Access Control Lists (ACLs)
Configuring Standard ACLs
Configuring ACEs in an Named, Standard ACL. Configuring ACEs is
done after using the ip access-list standard < name-str > command described
above to enter the “Named ACL” (nacl) context of an access list. For a
standard ACL syntax summary, refer to table on page 10-50.
Syntax: < deny | permit >
< any | host < SA > | SA <mask | SA/ mask-length >> [log]
Executing this command appends the ACE to the end of the list
of ACEs in the current ACL. In the default ACL configuration,
ACEs are automatically assigned consecutive sequence num-
bers in increments of 10 and can be renumbered using
resequence (page 10-91).
Note: To insert a new ACE between two existing ACEs, precede
deny or permit with an appropriate sequence number. (Refer to
“Inserting an ACE in an Existing ACL” on page 10-88.)
< deny | permit >
For named ACLs, used in the “Named ACL” (nacl) context to
configure an ACE. Specifies whether the ACE denies or permits
a packet matching the criteria in the ACE, as described below.
< any | host < SA > | SA < mask > | SA/mask-length >
Defines the source IPv4 address (SA) a packet must carry for
a match with the ACE.
• any — Allows IPv4 packets from any SA.
• host < SA > — Specifies only packets having < SA > as the
source. Use this criterion when you want to match the IPv4
packets from a single source address.
• SA < mask > or SA /mask-length — Specifies packets received
from either a subnet or a group of IPv4 addresses. The mask
format can be in either dotted-decimal format or CIDR
format (number of significant bits). (Refer to “Using CIDR
Notation To Enter the IPv4 ACL Mask” on page 10-49).
Mask Application: The mask is applied to the IPv4 address
in the ACE to define which bits in a packet’s SA must exactly
match the SA configured in the ACE and which bits need not
match. For example: 10.10.10.1/24 and 10.10.10.1 0.0.0.255 both
define any address in the range of 10.10.10.(1 - 255).
Note: Specifying a group of contiguous addresses may
require more than one ACE. For more on how masks operate,
refer to “How an ACE Uses a Mask To Screen Packets for
Matches” on page 10-35.
To Next Page
Loading...
Need help?
General
