sequence-number
|
(Optional)
Number of the
permit
statement in the access list. This number determines
the order of the statements in the access list. Range is 1 to 2147483644. (By
default, the first statement is number 10, and the subsequent statements are
incremented by 10.) Use the
resequence access-list
command to change the number of the first statement
and increment subsequent statements of a configured access list.
|
source
|
Number of
the network or host from which the packet is being sent. There are three
alternative ways to specify the source:
- Use a 32-bit quantity in
four-part dotted-decimal format.
- Use the
any
keyword as an abbreviation for a
source
and
source-wildcard
of 0.0.0.0 255.255.255.255.
- Use the
host
source
combination as an abbreviation for a
source
and
source-wildcard
of
source
0.0.0.0.
|
source-wildcard
|
Wildcard
bits to be applied to the source. There are three alternative ways to specify
the source wildcard:
- Use a 32-bit quantity in
four-part dotted-decimal format. Place ones in the bit positions you want to
ignore.
- Use the
any
keyword as an abbreviation for a
source
and
source-wildcard
of 0.0.0.0 255.255.255.255.
- Use the
host
source
combination as an abbreviation for a
source
and
source-wildcard
of
source
0.0.0.0.
|
protocol
|
Name or
number of an IP protocol. It can be one of the keywords
ahp
,
esp
,
eigrp
,
gre
,
icmp
,
igmp
,
igrp
,
ip
,
ipinip
,
nos
,
ospf
,
pim
,
pcp
,
tcp
, or
udp
, or an integer from 0 to 255 representing an IP
protocol number. To match any Internet protocol (including ICMP, TCP, and UDP),
use the
ip
keyword. ICMP, and TCP allow further qualifiers, which
are described later in this table.
|
destination
|
Number of
the network or host to which the packet is being sent. There are three
alternative ways to specify the destination:
- Use a 32-bit quantity in
four-part dotted-decimal format.
- Use the
any
keyword as an abbreviation for the
destination
and
destination-wildcard
of 0.0.0.0 255.255.255.255.
- Use the
host
destination
combination as an abbreviation for a
destination
and
destination-wildcard
of
destination
0.0.0.0.
|
destination-wildcard
|
Wildcard
bits to be applied to the destination. There are three alternative ways to
specify the destination wildcard:
- Use a 32-bit quantity in
four-part dotted-decimal format. Place ones in the bit positions you want to
ignore.
- Use the
any
keyword as an abbreviation for a
destination
and
destination-wildcard
of 0.0.0.0 255.255.255.255.
- Use the
host
destination
combination as an abbreviation for a
destination
and
destination-wildcard
of
destination
0.0.0.0.
|
net-group
source-net-object-group-name
|
IPv4
source network object group and group name.
|
port-group
source-port-object-group-name
|
Source
port object group and group name.
|
net-groupdestination-net-object-group-name
|
IPv4
destination network object group and group name.
|
port-group
destination-port-object-group-name
|
Destination port object group and group name.
|
precedence
precedence
|
(Optional)
Packets can be filtered by precedence level (as specified by a number from 0 to
7) or by the following names:
-
Routine
—Match packets with routine precedence (0)
-
priority
—Match packets with priority precedence (1)
-
immediate
—Match packets with immediate precedence (2)
-
flash
—Match packets with flash precedence (3)
-
flash-override
—Match packets with flash override precedence (4)
-
critical
—Match packets with critical precedence (5)
-
internet
—Match packets with internetwork control precedence
(6)
-
network
—Match packets with network control precedence (7)
|
default
|
(Optional)
Specifies the default next hop for this entry.
If the
default
keyword is configured, ACL-based forwarding action is
taken only if the results of the PLU lookup for the destination of the packets
determine a default route; that is, no specified route is determined to the
destination of the packet.
|
capture
|
Captures
matching traffic.
When the
acl command is configured on the source mirroring port, if the ACL
configuration command does not use the
capture
keyword, no traffic gets mirrored. If the ACL
configuration uses the
capture
keyword, but the acl command is not configured on the
source port, then the whole port traffic is mirrored and the
capture
action does not have any affect.
|
ipv4-address1
ipv4-address2
ipv4-address3
|
(Optional)
Uses one to three next-hop addresses. The IP address types are defined as
follows:
- Default IP
addresses—Specifies the next-hop router in the path toward the destination in
which the packets must be forwarded, if there is no explicit route for the
destination address of the packet in the routing table. The first IP address
that is associated with a connected interface that is currently up is used to
route the packets.
- Specified IP
addresses—Specifies the next-hop router in the path toward the destination in
which the packets must be forwarded. The first IP address that is associated
with a connected interface that is currently up is used to route the packets.
|
dscp
dscp
|
(Optional)
Differentiated services code point (DSCP) provides quality of service control.
The values for
dscp
are as follows:
- 0–63—Differentiated
services codepoint value
- af11—Match packets with
AF11 dscp (001010)
- af12—Match packets with
AF12 dscp (001100)
- af13—Match packets with
AF13 dscp (001110)
- af21—Match packets with
AF21 dscp (010010)
- af22—Match packets with
AF22 dscp (010100)
- af23—Match packets with
AF23 dscp (010110)
- af31—Match packets with
AF31 dscp (011010)
- af32—Match packets with
AF32 dscp (011100)
- af33—Match packets with
AF33 dscp (011110)
- af41—Match packets with
AF41 dscp (100010)
- af42—Match packets with
AF42 dscp (100100)
- af43–Match packets with
AF43 dscp (100110)
- cs1—Match packets with CS1
(precedence 1) dscp (001000)
- cs2—Match packets with CS2
(precedence 2) dscp (010000)
- cs3—Match packets with CS3
(precedence 3) dscp (011000)
- cs4—Match packets with CS4
(precedence 4) dscp (100000)
- cs5—Match packets with CS5
(precedence 5) dscp (101000)
- cs6—Match packets with CS6
(precedence 6) dscp (110000)
- cs7—Match packets with CS7
(precedence 7) dscp (111000)
- default—Default DSCP
(000000)
- ef—Match packets with EF
dscp (101110)
|
dscp
range
dscp dscp
|
(Optional)
Differentiated services code point (DSCP) provides quality of service control.
The values for
dscp
are as follows:
- 0–63—Differentiated
services codepoint value
- af11—Match packets with
AF11 dscp (001010)
- af12—Match packets with
AF12 dscp (001100)
- af13—Match packets with
AF13 dscp (001110)
- af21—Match packets with
AF21 dscp (010010)
- af22—Match packets with
AF22 dscp (010100)
- af23—Match packets with
AF23 dscp (010110)
- af31—Match packets with
AF31 dscp (011010)
- af32—Match packets with
AF32 dscp (011100)
- af33—Match packets with
AF33 dscp (011110)
- af41—Match packets with
AF41 dscp (100010)
- af42—Match packets with
AF42 dscp (100100)
- af43–Match packets with
AF43 dscp (100110)
- cs1—Match packets with CS1
(precedence 1) dscp (001000)
- cs2—Match packets with CS2
(precedence 2) dscp (010000)
- cs3—Match packets with CS3
(precedence 3) dscp (011000)
- cs4—Match packets with CS4
(precedence 4) dscp (100000)
- cs5—Match packets with CS5
(precedence 5) dscp (101000)
- cs6—Match packets with CS6
(precedence 6) dscp (110000)
- cs7—Match packets with CS7
(precedence 7) dscp (111000)
- default—Default DSCP
(000000)
- ef—Match packets with EF
dscp (101110)
|
fragments
|
(Optional)
Causes the software to examine noninitial fragments of IPv4 packets when
applying this access list entry. When this keyword is specified, fragments are
subject to the access list entry.
|
log
|
(Optional)
Causes an informational logging message about the packet that matches the entry
to be sent to the console. (The level of messages logged to the console is
controlled by the
logging console
command.)
The
message includes the access list number, whether the packet was permitted or
denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if
appropriate, the source and destination addresses and source and destination
port numbers. The message is generated for the first packet that matches a
flow, and then at 5-minute intervals, including the number of packets permitted
or denied in the prior 5-minute interval.
|
log-input
|
(Optional)
Provides the same function as the
log
keyword, except that the logging message also includes
the input interface.
|
nexthop1,
nexthop2, nexthop3
|
(Optional)
Forwards the specified next hop for this entry.
|
track
track-name
|
Specifies
the TRACK Name for this nexthop.
|
ttl
|
(Optional)
Turns on matching against time-to-life (TTL) value.
|
ttl
value
[value1 ... value2]
|
(Optional)
TTL value used for filtering. Range is 1 to 255.
If only
value
is specified, the match is against this value.
If both
value1
and
value2
are specified, the packet TTL is matched against the
range of TTLs between
value1
and
value2
.
|
icmp-off
|
(Optional)
Turns off ICMP generation for denied packets
|
icmp-type
|
(Optional)
ICMP message type for filtering ICMP packets. Range is from 0 to 255.
|
icmp-code
|
(Optional)
ICMP message code for filtering ICMP packets. Range is from 0 to 255.
|
igmp-type
|
(Optional)
IGMP message type (0 to 15) or message name for filtering IGMP packets, as
follows:
- dvmrp
- host-query
- host-report
- mtrace
- mtrace-response
- pim
- precedence
- trace
- v2-leave
- v2-report
- v3-report
|
operator
|
(Optional)
Operator is used to compare source or destination ports. Possible operands are
lt
(less than),
gt
(greater than),
eq
(equal),
neq
(not equal), and
range
(inclusive range).
If the
operator is positioned after the
source
and
source-wildcard values, it must match the source port.
If the
operator is positioned after the
destination and
destination-wildcard values, it must match the destination
port.
If the
operator is positioned after the
ttl
keyword, it matches the TTL value.
The
range operator requires two port numbers. All other
operators require one port number.
|
port
|
Decimal
number a TCP or UDP port. Range is 0 to 65535.
TCP ports
can be used only when filtering TCP. UDP ports can be used only when filtering
UDP.
|
protocol-port
|
Name of a
TCP or UDP port. TCP and UDP port names are listed in the “Usage Guidelines”
section.
TCP port
names can be used only when filtering TCP. UDP port names can be used only when
filtering UDP.
|
established
|
(Optional)
For the TCP protocol only: Indicates an established connection.
|
match-any
|
(Optional)
For the TCP protocol only: Filters on any combination of TCP flags.
|
match-all
|
(Optional)
For the TCP protocol only: Filters on all TCP flags.
|
+
|
-
|
(Required)
For the TCP protocol
match-any
,
match-all
: Prefix
flag-name
with
+
or
-
. Use the +
flag-name
argument to match packets with the TCP flag set. Use
the -
flag-name
argument to match packets when the TCP flag is not set.
|
flag-name
|
(Optional)
For the TCP protocol
match-any
,
match-all
. Flag names are:
ack
,
fin
,
psh
,
rst
,
syn
.
|
counter
|
(Optional)
Enables accessing ACL counters using SNMP query. The
counter
counter-name keyword is available on Cisco ASR
9000 Enhanced Ethernet Line Cards only.
|
counter-name
|
Defines an
ACL counter name.
|