IPv4 Access Control Lists (ACLs)
Configuring Extended ACLs
< ip | ip-protocol | ip-protocol-nbr >
Used after deny or permit to specify the packet protocol type
required for a match. An extended ACL must include one of
the following:
• ip — any IPv4 packet.
• ip-protocol — any one of the following IPv4 protocol names:
ip-in-ip ipv6-in-ip gre esp ah
ospf pim vrrp sctp tcp*
udp* icmp* igmp*
• ip-protocol-nbr — the protocol number of an IPv4 packet type,
such as “8” for Exterior Gateway Protocol or 121 for Simple
Message Protocol. (For a listing of IPv4 protocol numbers
and their corresponding protocol names, refer to the IANA
“Protocol Number Assignment Services” at
www.iana.com.) (Range: 0 - 255)
* For TCP, UDP, ICMP, and IGMP, additional criteria can be
specified, as described on pages 9-61 through 9-65.
< any | host < SA > | SA < mask > | SA/ mask-length
This is the first instance of IPv4 addressing in an extended
ACE. It follows the protocol specifier and defines the source
address (SA) a packet must carry for a match with the ACE.
• any — Allows IPv4 packets from any SA.
• host < SA > — Specifies only packets having a single address
as the SA. Use this criterion when you want to match only
the IPv4 packets from a single SA.
• SA < mask > or SA/mask-length — Specifies packets received
from an SA, where the SA is either a subnet or a group of
addresses. The mask can be in either dotted-decimal format
or CIDR format (number of significant bits). Refer to
“Using CIDR Notation To Enter the IPv4 ACL Mask” on page
9-43.
SA Mask Application: The mask is applied to the SA in the
ACL to define which bits in a packet’s SA must exactly
match the SA configured in the ACL and which bits need
not match.
Example: 10.10.10.1/24 and 10.10.10.1 0.0.0.255 both
define any address in the range of 10.10.10.(1 - 255).
Note: Specifying a group of contiguous addresses may
require more than one ACE. For more on how masks operate
in ACLs, refer to “How an ACE Uses a Mask To Screen
Packets for Matches” on page 9-28.
9-58
To Next Page
Loading...
