{deny | permit} (IP ACL)

This command creates a new rule for the current IP access list. A rule may either deny or permit traffic according to the specified classification fields. At a minimum, either the every keyword or the protocol, source address, and destination address values must be specified. The source and destination IP address fields may be specified using the keyword any to indicate a match on any value in that field. The remaining command parameters are all optional, but the most frequently used parameters appear in the same relative order as shown in the command format.

Format [sequence-number] {deny | permit} {every | {{eigrp | gre | icmp | igmp | ip | ipinip | ospf | pim | tcp | udp | 0 -255} {srcip srcmask | any | host srcip} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535} ] {dstip dstmask | any | host dstip} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535} ] [flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | -ack] [+urg | -urg] [established]] [icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message] [igmp-type igmp-type] [fragments] [precedence precedence | tos tos [ tosmask] | dscp dscp]| [ttl eq 0-255]}} [time-range time-range-name] [log] [assign-queue queue-id] [rate-limit rate burst-size]
Mode Ipv4-Access-List Config
Note

Note

An implicit deny all IP rule always terminates the access list.
Note

Note

For IPv4, the following are not supported for egress ACLs:
  • A match on port ranges.
  • The rate-limit command.

The time-range parameter allows imposing time limitation on the IP ACL rule as defined by the specified time range. If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately. If a time range with specified name exists and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied when the time-range with specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive. For information about configuring time ranges, see Time Range Commands for Time-Based ACLs.

The assign-queue parameter allows specification of a particular hardware queue for handling traffic that matches this rule. The allowed queue-id value is 0-(n-1), where n is the number of user configurable queues available for the hardware platform. The assign-queue parameter is valid only for a permit rule.

The permit command‘s optional attribute rate-limit allows you to permit only the allowed rate of traffic as per the configured rate in kbps, and burst-size in kbytes.

Parameter Description
sequence-number The sequence-number specifies the sequence number for the ACL rule. The sequence number is specified by the user or is generated by device.

If a sequence number is not specified for the rule, a sequence number that is 10 greater than the last sequence number in ACL is used and this rule is placed at the end of the list. If this is the first ACL rule in the given ACL, a sequence number of 10 is assigned. If the calculated sequence number exceeds the maximum sequence number value, the ACL rule creation fails. A rule cannot be created that duplicates an already existing one and a rule cannot be configured with a sequence number that is already used for another rule.

For example, if user adds new ACL rule to ACL without specifying a sequence number, it is placed at the bottom of the list. By changing the sequence number, the user can move the ACL rule to a different position in the ACL.

{deny | permit} Specifies whether the IP ACL rule permits or denies the matching traffic.
every Match every packet.
{eigrp | gre | icmp | igmp | ip | ipinip | ospf | pim | tcp | udp | 0 -255} Specifies the protocol to match for the IP ACL rule.
srcip srcmask | any | host srcip Specifies a source IP address and source netmask to match for the IP ACL rule.

Specifying “any” implies specifying srcip as “0.0.0.0” and srcmask as “255.255.255.255”.

Specifying “host A.B.C.D” implies srcip as “A.B.C.D” and srcmask as “0.0.0.0”.

[{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535} ] This option is available only if the protocol is tcp or udp.

Specifies the layer 4 port match condition for the IP ACL rule. Port number can be used, which ranges from 0-65535, or the portkey, which can be one of the following keywords:

  • For tcp protocol: bgp, domain, echo, ftp, ftp-data, http, smtp, telnet, www, pop2, pop3
  • For udp protocol: domain, echo, ntp, rip, snmp, tftp, time, who

    Each of these keywords translates into its equivalent port number.

    When range is specified, the IP ACL rule matches only if the layer 4 port number falls within the specified port range. The startport and endport parameters identify the first and last ports that are part of the port range. They have values from 0 to 65535. The ending port must have a value equal to or greater than the starting port. The starting port, ending port, and all ports in between will be part of the layer 4 port range.

    When eq is specified, IP ACL rule matches only if the layer 4 port number is equal to the specified port number or portkey.

    When lt is specified, IP ACL rule matches if the layer 4 port number is less than the specified port number or portkey. It is equivalent to specifying the range as 0 to specified port number – 1.

    When gt is specified, IP ACL rule matches if the layer 4 port number is greater than the specified port number or portkey. It is equivalent to specifying the range as specified port number + 1 to 65535.

    When neq is specified, IP ACL rule matches only if the layer 4 port number is not equal to the specified port number or port key. Two rules are added in the hardware one with range equal to 0 to specified port number - 1 and one with range equal to specified port number + 1 to 65535.

    Port number matches only apply to unfragmented or first fragments.

dstip dstmask | any | host dstip Specifies a destination IP address and netmask for match condition of the IP ACL rule.

Specifying any implies specifying dstip as 0.0.0.0 and dstmask as 255.255.255.255.

Specifying host A.B.C.D implies dstip as A.B.C.D and dstmask as 0.0.0.0.

[precedence precedence | tos tos [tosmask] | dscp dscp] Specifies the TOS for an IP ACL rule depending on a match of precedence or DSCP values using the parameters dscp, precedence, tos/tosmask.

tosmask is an optional parameter.

flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | -ack] [+urg | -urg] [established] Specifies that the IP ACL rule matches on the tcp flags.

When +tcpflagname is specified, a match occurs if the specified tcpflagname flag is set in the TCP header.

When -tcpflagname is specified, a match occurs if the specified tcpflagname flag is NOT set in the TCP header.

When established is specified, a match occurs if either the specified RST or ACK bits are set in the TCP header. Two rules are installed in hardware to when the established option is specified.

This option is available only if protocol is tcp.

[icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message] This option is available only if the protocol is ICMP (Internet Control Message Protocol).

Specifies a match condition for ICMP packets.

When icmp-type is specified, IP ACL rule matches on the specified ICMP message type, a number from 0 to 255.

When icmp-code is specified, IP ACL rule matches on the specified ICMP message code, a number from 0 to 255.

Specifying icmp-message implies both icmp-type and icmp-code are specified. The following icmp-messages are supported: echo, echo-reply, host-redirect, mobile-redirect, net-redirect, net-unreachable, redirect, packet-too-big, port-unreachable, source-quench, router-solicitation, router-advertisement, time-exceeded, ttl-exceeded and unreachable.

The ICMP message is decoded into corresponding ICMP type and ICMP code within that ICMP type.

igmp-type igmp-type This option is visible only if the protocol is IGMP (Internet Group Management Protocol).

When igmp-type is specified, the IP ACL rule matches on the specified IGMP message type, a number from 0 to 255.

fragments Specifies that IP ACL rule matches on fragmented IP packets.
ttl eq Specifies that the IP ACL rule matches on packets with the specified Time To Live (TTL) value.
log Specifies that this rule is to be logged.
time-range time-range-name Allows imposing a time limitation on the ACL rule as defined by the parameter time-range-name. If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, the ACL rule is applied immediately. If a time range with specified name exists and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, the ACL rule is applied when the time-range with specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive.
assign-queue queue-id Specifies the assign-queue, which is the queue identifier to which packets matching this rule are assigned.
rate-limit rate burst-size Specifies the allowed rate of traffic as per the configured rate in kbps, and burst-size in kbytes.

The following shows an example of the command.

(Extreme 220) (Config) (Config)#ip access-list ip1
(Extreme 220) (Config-ipv4-acl)#permit icmp any any rate-limit 32 16
(Extreme 220) (Config-ipv4-acl)#exit