Command Line Interface
4-94
4
• destination-bitmask – Destination address of rule must match this bitmask.
• precedence – Check the IP precedence field.
• tos – Check the TOS field.
• dscp – Check the DSCP field.
• source-port – Check the protocol source port field.
• destination-port – Check the protocol destination port field.
• port-bitmask – Protocol port of rule must match this bitmask.
(Range: 0-65535)
• control-flag – Check the field for control flags.
• flag-bitmask – Control flags of rule must match this bitmask. (Range: 0-63)
Default Setting
None
Command Mode
IP Mask
Command Usage
• Packets crossing a port are checked against all the rules in the ACL until a
match is found. The order in which these packets are checked is determined
by the mask, and not the order in which the ACL rules were entered.
• First create the required ACLs and ingress or egress masks before mapping
an ACL to an interface.
• If you enter dscp, you cannot enter tos or precedence. You can enter both
tos and precedence without dscp.
• Masks that include an entry for a Layer 4 protocol source port or destination
port can only be applied to packets with a header length of exactly five bytes.
Example
This example creates an IP ingress mask with two rules. Each rule is checked in
order of precedence to look for a match in the ACL entries. The first entry matching
a mask is applied to the inbound packet.
Console(config)#access-list ip mask-precedence in
Console(config-ip-mask-acl)#mask host any
Console(config-ip-mask-acl)#mask 255.255.255.0 any
Console(config-ip-mask-acl)#