sequence-number
|
(Optional) Number of the
permit
statement in the access list. This number determines the order of the statements in the access list. Range is 1 to 2147483644.
(By default, the first statement is number 10, and the subsequent statements are incremented by 10.)
|
source
|
Number of
the network or host from which the packet is being sent. There are three
alternative ways to specify the source:
- Use a 32-bit quantity in
four-part dotted-decimal format.
- Use the
any
keyword as an abbreviation for a
source
and
source-wildcard
of 0.0.0.0 255.255.255.255.
- Use the
host
source
combination as an abbreviation for a
source
and
source-wildcard
of
source
0.0.0.0.
|
source-wildcard
|
Wildcard
bits to be applied to the source. There are three alternative ways to specify
the source wildcard:
- Use a 32-bit quantity in
four-part dotted-decimal format. Place ones in the bit positions you want to
ignore.
- Use the
any
keyword as an abbreviation for a
source
and
source-wildcard
of 0.0.0.0 255.255.255.255.
- Use the
host
source
combination as an abbreviation for a
source
and
source-wildcard
of
source
0.0.0.0.
|
protocol
|
Name or number of an IP protocol. It can be one of the keywords ,
esp
, ,
icmp
,
igmp
,
igrp
,
ip
,
ipinip
,
nos
,
ospf
,
pim
,
pcp
,
tcp
, or
udp
, or an integer from 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and
UDP), use the
ip
keyword. ICMP, and TCP allow further qualifiers, which are described later in this table.
|
destination
|
Number of
the network or host to which the packet is being sent. There are three
alternative ways to specify the destination:
- Use a 32-bit quantity in
four-part dotted-decimal format.
- Use the
any
keyword as an abbreviation for the
destination
and
destination-wildcard
of 0.0.0.0 255.255.255.255.
- Use the
host
destination
combination as an abbreviation for a
destination
and
destination-wildcard
of
destination
0.0.0.0.
|
destination-wildcard
|
Wildcard
bits to be applied to the destination. There are three alternative ways to
specify the destination wildcard:
- Use a 32-bit quantity in
four-part dotted-decimal format. Place ones in the bit positions you want to
ignore.
- Use the
any
keyword as an abbreviation for a
destination
and
destination-wildcard
of 0.0.0.0 255.255.255.255.
- Use the
host
destination
combination as an abbreviation for a
destination
and
destination-wildcard
of
destination
0.0.0.0.
|
precedence
precedence
|
(Optional)
Packets can be filtered by precedence level (as specified by a number from 0 to
7) or by the following names:
-
Routine
—Match packets with routine precedence (0)
-
priority
—Match packets with priority precedence (1)
-
immediate
—Match packets with immediate precedence (2)
-
flash
—Match packets with flash precedence (3)
-
flash-override
—Match packets with flash override precedence (4)
-
critical
—Match packets with critical precedence (5)
-
internet
—Match packets with internetwork control precedence
(6)
-
network
—Match packets with network control precedence (7)
|
capture
|
Captures
matching traffic.
When the
acl command is configured on the source mirroring port, if the ACL
configuration command does not use the
capture
keyword, no traffic gets mirrored. If the ACL
configuration uses the
capture
keyword, but the acl command is not configured on the
source port, then the whole port traffic is mirrored and the
capture
action does not have any affect.
|
dscp
dscp
|
(Optional)
Differentiated services code point (DSCP) provides quality of service control.
The values for
dscp
are as follows:
- 0–63—Differentiated
services codepoint value
- af11—Match packets with
AF11 dscp (001010)
- af12—Match packets with
AF12 dscp (001100)
- af13—Match packets with
AF13 dscp (001110)
- af21—Match packets with
AF21 dscp (010010)
- af22—Match packets with
AF22 dscp (010100)
- af23—Match packets with
AF23 dscp (010110)
- af31—Match packets with
AF31 dscp (011010)
- af32—Match packets with
AF32 dscp (011100)
- af33—Match packets with
AF33 dscp (011110)
- af41—Match packets with
AF41 dscp (100010)
- af42—Match packets with
AF42 dscp (100100)
- af43–Match packets with
AF43 dscp (100110)
- cs1—Match packets with CS1
(precedence 1) dscp (001000)
- cs2—Match packets with CS2
(precedence 2) dscp (010000)
- cs3—Match packets with CS3
(precedence 3) dscp (011000)
- cs4—Match packets with CS4
(precedence 4) dscp (100000)
- cs5—Match packets with CS5
(precedence 5) dscp (101000)
- cs6—Match packets with CS6
(precedence 6) dscp (110000)
- cs7—Match packets with CS7
(precedence 7) dscp (111000)
- default—Default DSCP
(000000)
- ef—Match packets with EF
dscp (101110)
|
dscp
range
dscp dscp
|
(Optional)
Differentiated services code point (DSCP) provides quality of service control.
The values for
dscp
are as follows:
- 0–63—Differentiated
services codepoint value
- af11—Match packets with
AF11 dscp (001010)
- af12—Match packets with
AF12 dscp (001100)
- af13—Match packets with
AF13 dscp (001110)
- af21—Match packets with
AF21 dscp (010010)
- af22—Match packets with
AF22 dscp (010100)
- af23—Match packets with
AF23 dscp (010110)
- af31—Match packets with
AF31 dscp (011010)
- af32—Match packets with
AF32 dscp (011100)
- af33—Match packets with
AF33 dscp (011110)
- af41—Match packets with
AF41 dscp (100010)
- af42—Match packets with
AF42 dscp (100100)
- af43–Match packets with
AF43 dscp (100110)
- cs1—Match packets with CS1
(precedence 1) dscp (001000)
- cs2—Match packets with CS2
(precedence 2) dscp (010000)
- cs3—Match packets with CS3
(precedence 3) dscp (011000)
- cs4—Match packets with CS4
(precedence 4) dscp (100000)
- cs5—Match packets with CS5
(precedence 5) dscp (101000)
- cs6—Match packets with CS6
(precedence 6) dscp (110000)
- cs7—Match packets with CS7
(precedence 7) dscp (111000)
- default—Default DSCP
(000000)
- ef—Match packets with EF
dscp (101110)
|
fragments
|
(Optional)
Causes the software to examine noninitial fragments of IPv4 packets when
applying this access list entry. When this keyword is specified, fragments are
subject to the access list entry.
|
log
|
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The
level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP,
UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers.
The message is generated for the first packet that matches a flow, and then at 5-minute intervals, including the number of
packets permitted or denied in the prior 5-minute interval.
|
ttl
|
(Optional)
Turns on matching against time-to-life (TTL) value.
|
ttl
value
[value1 ... value2]
|
(Optional)
TTL value used for filtering. Range is 1 to 255.
If only
value
is specified, the match is against this value.
If both
value1
and
value2
are specified, the packet TTL is matched against the
range of TTLs between
value1
and
value2
.
|
icmp-type
|
(Optional)
ICMP message type for filtering ICMP packets. Range is from 0 to 255.
|
icmp-code
|
(Optional)
ICMP message code for filtering ICMP packets. Range is from 0 to 255.
|
igmp-type
|
(Optional)
IGMP message type (0 to 15) or message name for filtering IGMP packets, as
follows:
- dvmrp
- host-query
- host-report
- mtrace
- mtrace-response
- pim
- precedence
- trace
- v2-leave
- v2-report
- v3-report
|
operator
|
(Optional)
Operator is used to compare source or destination ports. Possible operands are
lt
(less than),
gt
(greater than),
eq
(equal),
neq
(not equal), and
range
(inclusive range).
If the
operator is positioned after the
source
and
source-wildcard values, it must match the source port.
If the
operator is positioned after the
destination and
destination-wildcard values, it must match the destination
port.
If the
operator is positioned after the
ttl
keyword, it matches the TTL value.
The
range operator requires two port numbers. All other
operators require one port number.
|
port
|
Decimal
number a TCP or UDP port. Range is 0 to 65535.
TCP ports
can be used only when filtering TCP. UDP ports can be used only when filtering
UDP.
|
protocol-port
|
Name of a
TCP or UDP port. TCP and UDP port names are listed in the “Usage Guidelines”
section.
TCP port
names can be used only when filtering TCP. UDP port names can be used only when
filtering UDP.
|
established
|
(Optional)
For the TCP protocol only: Indicates an established connection.
|
match-any
|
(Optional)
For the TCP protocol only: Filters on any combination of TCP flags.
|
match-all
|
(Optional)
For the TCP protocol only: Filters on all TCP flags.
|
+
|
-
|
(Required)
For the TCP protocol
match-any
,
match-all
: Prefix
flag-name
with
+
or
-
. Use the +
flag-name
argument to match packets with the TCP flag set. Use
the -
flag-name
argument to match packets when the TCP flag is not set.
|
flag-name
|
(Optional) For the TCP protocol
match-any
,
match-all
. Flag names are:
ack
,
fin
,
psh
,
rst
,
syn
,
urg
.
|
counter
|
(Optional)
Enables accessing ACL counters using SNMP query.
|
counter-name
|
Defines an
ACL counter name.
|