20
Parameters
rule-id: Specifies a rule ID in the range of 0 to 65534. If you do not specify a rule ID when creating an
ACL rule, the system automatically assigns it a rule ID. This rule ID is the nearest higher multiple of
the numbering step to the current highest rule ID, starting from 0. For example, if the rule numbering
step is 5 and the current highest rule ID is 28, the rule is numbered 30.
deny: Denies matching packets.
permit: Allows matching packets to pass.
protocol: Specifies one of the following values:
• A protocol number in the range of 0 to 255.
• A protocol by its name: gre (47), icmp (1), igmp (2), ip, ipinip (4), ospf (89), tcp (6), or udp
(17). The ip keyword specifies all protocols.
Table 7 describe
s the parameters that you can specify regardless of the value for the protocol
argument.
Table 7 Match criteria and other rule information for IPv4 advanced ACL rules
Parameters Function Description
source
{ source-address
source-wildcard |
any
}
Specifies a source address.
The source-address source-wildcard arguments
specify a source IP address and a wildcard mask in
dotted decimal notation. An all-zero wildcard
represents a host address.
The
any
keyword specifies any source IP address.
destination
{ dest-address
dest-wildcard |
any
}
Specifies a destination
address.
The dest-address dest-wildcard arguments specify a
destination IP address and a wildcard mask in dotted
decimal notation. An all-zero wildcard mask
represents a host address.
The
any
keyword represents any destination IP
address.
counting
Counts the times that the
rule is matched.
The
counting
keyword enables match counting
specific to rules, and the
hardware-count
keyword
in the
packet-filter
command enables match
counting for all rules in an ACL. If the
counting
keyword is not specified, matches for the rule are not
counted.
precedence
precedence
Specifies an IP precedence
value.
The precedence argument can be a number in the
range of 0 to 7, or in words:
routine
(0),
priority
(1),
immediate
(2),
flash
(3),
flash-override
(4),
critical
(5),
internet
(6), or
network
(7).
tos
tos Specifies a ToS preference.
The tos argument can be a number in the range of 0
to 15, or in words:
max-reliability
(2),
max-throughput
(4),
min-delay
(8),
min-monetary-cost
(1), or
normal
(0).
dscp
dscp Specifies a DSCP priority.
The dscp argument can be a number in the range of
0 to 63, or in words:
af11
(10),
af12
(12),
af13
(14),
af21
(18),
af22
(20),
af23
(22),
af31
(26),
af32
(28),
af33
(30),
af41
(34),
af42
(36),
af43
(38),
cs1
(8),
cs2
(16),
cs3
(24),
cs4
(32),
cs5
(40),
cs6
(48),
cs7
(56),
default
(0), or
ef
(46).
fragment
Applies the rule only to
non-first fragments.
If you do not specify this keyword, the rule applies to
all fragments and non-fragments.
logging
Logs matching packets.
This feature requires that the module (for example,
packet filtering) that uses the ACL supports logging.
time-range
Specifies a time range for The time-range-name argument is a
To Next Page
Loading...
