Configuring ACL ACL Configuration
Configuration Guide
595
Step 3 access-list ip
acl-id-or-name
rule {auto |
rule-id
} {deny | permit} logging {enable | disable} [sip
sip-address
sip-mask
sip-address-mask
] [ dip
dip-address
dip-mask
dip-address-mask
] [dscp
dscp-value
] [tos
tos-value
] [pre
pre-value
] [frag {enable | disable}] [protocol
protocol
[s-port
s-port-number
s-port-mask
s-port-mask
] [d-port
d-port-number
d-port-mask
d-port-mask
]
[tcpflag
tcpflag
]] [tseg
time-range-name
]
Add rules to the ACL.
acl-id-or-name
: Enter the ID or name of the ACL that you want to add a rule for.
auto:
The rule ID will be assigned automatically and the interval between rule IDs is 5.
rule-id
: Assign an ID to the rule.
deny | permit
:
Specify the action to be taken with the packets that match the rule. Deny means
to discard; permit means to forward. By default, it is set to permit.
logging {enable | disable}: Enable or disable Logging function for the ACL rule. If "enable" is
selected, the times that the rule is matched will be logged every 5 minutes. With ACL Counter
trap enabled, a related trap will be generated if the matching times changes.
sip-address:
Enter the source IP address.
sip-address-mask
:
Enter the mask of the source IP address. This is required if a source IP
address is entered.
dip-address:
Enter the destination IP address.
dip-address-mask:
Enter the mask of the destination IP address. This is required if a destination
IP address is entered.
dscp-value:
Specify the DSCP value between 0 and 63.
tos-value:
Specify an IP ToS value to be matched between 0 and 15.
pre-value:
Specify an IP Precedence value to be matched between 0 and 7.
frag {enable | disable}
:
Enable or disable matching of fragmented packets. The default is
disable. When enabled, the rule will apply to all fragmented packets and always permit to
forward the last fragment of a packet.
protocol:
Specify a protocol number between 0 and 255.
s-port-number:
With TCP or UDP configured as the protocol, specify the source port number.
s-port-mask:
With TCP or UDP configured as the protocol, specify the source port mask with 4
hexadacimal numbers.
d-port-number:
With TCP or UDP configured as the protocol, specify the destination port
number.
d-port-mask:
With TCP or UDP configured as the protocol, specify the destination port mask
with 4 hexadacimal numbers.
tcpflag:
With TCP configured as the protocol, specify the flag value using either binary numbers
or * (for example, 01*010*). The default is *, which indicates that the flag will not be matched.
The flags are URG (Urgent flag), ACK (Acknowledge Flag), PSH (Push Flag), RST (Reset Flag),
SYN (Synchronize Flag) and FIN (Finish Flag).
time-range-name:
The name of the time-range. The default is No Limit.
Step 4 end
Return to privileged EXEC mode.
To Next Page
Loading...
