Extended IP ACL Commands
When an ACL is created without any rule and then applied to an interface, ACL behavior reflects an
implicit permit.
The following commands configure extended IP ACLs, which in addition to the IP address, also examine
the packet’s protocol type.
The platform supports both Ingress and Egress IP ACLs.
NOTE: Also refer to the Commands Common to all ACL Types and Common IP ACL Commands
sections.
deny
Configure a filter that drops IP packets meeting the filter criteria.
Syntax
deny {ip | ip-protocol-number} {source mask | any | host ip-
address} {destination mask | any | host ip-address} [count
[byte] | log] [dscp value] [order] [monitor] [fragments] [no-
drop]
To remove this filter, you have two choices:
• Use the no seq sequence-number command if you know the filter’s
sequence number.
• Use the no deny {ip | ip-protocol-number} {source mask | any |
host ip-address} {destination mask | any | host ip-address}
command.
Parameters
ip Enter the keyword ip to configure a generic IP access list.
The keyword
ip specifies that the access list denies all IP
protocols.
ip-protocol-
number
Enter a number from 0 to 255 to deny based on the protocol
identified in the IP protocol header.
source Enter the IP address of the network or host from which the
packets were sent.
mask Enter a network mask in /prefix format (/x) or A.B.C.D. The
mask, when specified in A.B.C.D format, may be either
contiguous or noncontiguous.
any Enter the keyword any to specify that all routes are subject
to the filter.
host ip-address Enter the keyword host then the IP address to specify a host
IP address.
destination Enter the IP address of the network or host to which the
packets are sent.
Access Control Lists (ACL)
239