deny

Use this command to create a deny access list rule entry.

Syntax

Standard IP Access List:

deny {source source-wildcard | any | host ip-address]} [log | log-verbose]

Extended IP Access List:

deny {protocol-num | ip | | esp | gre} {source source-wildcard | any | host ip-address} {destination destination-host wildcard | any | host ip-address} [dscp code] [precedence value] [tos value] [log | log-verbose]

deny tcp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [precedence value] [tos value] [log | log-verbose]

deny udp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [precedence value] [tos value] [log | log-verbose]

deny icmp {source source-wildcard | any | host ip-address} {destination destination-host wildcard | any | host ip-address} [msg icmp-msg] [dscp code] [precedence value] [tos value] [log | log-verbose]

Parameters

`protocol-num`	Specifies an IPv4 protocol for which to deny access. Valid values are protocol numbers from 0 - 255.
ip	Specifies any IPv4 protocol (0 - 255)
esp	Specifies the Encapsulation Security Payload protocol
gre	Specifies the Generic Router Encapsulation protocol
tcp	Specifies the Transmission Control Protocol
udp	Specifies the User Datagram Protocol
icmp	Specifies the IP Internet Control Message Protocol
`source`	Specifies the IPv4 address of the network or host from which the packet is sent.
`source-wildcard`	Specifies the bits to ignore in the source address.
`destination`	Specifies the IPv4 address of the network or host to which the packet will be sent.
`destination-wildcard`	Specifies the bits to ignore in the destination address.
any	Specifies that any source or destination (extended access list only) address applies to this rule entry.
host `ip-address`	Specifies a specific host address that will be applied to this rule entry.
msg `icmp-msg`	(Optional) Specifies a single ICMP message type by entering a keyword. Supported message type keywords are provided in ICMP Message Types.
eq \| neq \| gt \| lt {`source-port` \| `dest-port`}	(Optional) Specifies that a source or destination port is permitted. The meaning of the keywords are: eq - permits the specified source or destination port gt - permits source or destination ports greater than the value specified lt - permits source or destination ports less than the value specified neq - permits source or destination ports that are not equal to the value specified
range `start-port` `end-port`	(Optional) Specifies a range of source or destination ports permitted.
established	(Optional) Specifies that only established TCP connections are permitted. A match is made if ACK or RST bits are set.
dscp `code`	(Optional) Specifies a DiffServe Code Point (DSCP) value to match against this packet‘s DSCP code. Valid values are 0 - 63, or one of the following keywords: af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, af44, – Assured Forwarding be – best effort cs1 - cs7 – Class Selector ef – Expedited Forwarding
precedence `value`	(Optional) Specifies an IP Precedence value. Valid values are 0 - 7, or in order from high to low: critical, flash, flash-override, immediate, internet, network, priority, routine.
tos `value`	(Optional) Specifies a Type of Service (ToS) value. Valid values are 0 - 15, or max-reliability, max-throughput, min-delay, min-monetary-cost, normal.
log \| log-verbose	(Optional) Enables syslog or verbose syslog messaging for an ACL rule hit.

Defaults

If the msg option is not specified for an ICMP rule, all ICMP message types are denied.
If the log or log-verbose options are not specified, syslog messaging does not occur for an ACL rule hit.
If DSCP code is not specified, none is applied to the deny entry.
If a precedence value is not specified, none is applied to the deny entry.
If a ToS value is not specified, none is applied to the deny entry.

Mode

Configuration command, standard or extended access list configuration.

Usage

Entering any IPv4 protocol number will configure the deny entry for the specified protocol, but will limit configurable parameters to the list in the protocol-num syntax. Specifying the tcp, udp, or icmp keywords will provide the extended parameter set listed in the syntax for these keywords.

Access list logging is throttled to 1 log message per second. If there are multiple access list rules with logging enabled (log or log-verbose), and more then one frame is transmitted per second that can hit those rules, only the first frame will generate a message. Logging is sampling and does not report every time that a rule with logging enabled is hit.

Source and destination wildcard masks are inverted. That is, they specify the “don't care” bits as 1.

The any option is short hand for 0.0.0.0 255.255.255.255.

Examples

This example enters configuration mode for standard access list 2 and configures a deny entry for source address 10.0.0.1 with a source wildcard of 0.0.255.255:

System(rw-config)->ip access-list standard 2
System(rw-cfg-std-acl)->deny 10.0.0.1 0.0.255.255
System(rw-cfg-std-acl)->

This example enters configuration mode for extended access list 120 and configures a deny entry for the IP protocol with a source address 20.0.0.1 and source wildcard of 0.0.255.255 and a destination address of any and destination wildcard of 0.0.0.255:

System(rw-config)->ip access-list extended 120
System(rw-cfg-ext-acl)->deny ip 20.0.0.1 0.0.255.255 any 0.0.0.255
System(rw-cfg-ext-acl)->

Published May 2016prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback