This command creates a new rule for the current IP access list. A rule may either deny or permit traffic according to the specified classification fields. At a minimum, either the every keyword or the protocol, source address, and destination address values must be specified. The source and destination IP address fields may be specified using the keyword any to indicate a match on any value in that field. The remaining command parameters are all optional, but the most frequently used parameters appear in the same relative order as shown in the command format.
Format | [sequence-number] {deny | permit} {every | {{eigrp | gre | icmp | igmp | ip | ipinip | ospf | pim | tcp | udp | 0 -255} {srcip srcmask | any | host srcip} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535} ] {dstip dstmask | any | host dstip} [{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535} ] [flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | -ack] [+urg | -urg] [established]] [icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message] [igmp-type igmp-type] [fragments] [precedence precedence | tos tos [ tosmask] | dscp dscp]| [ttl eq 0-255]}} [time-range time-range-name] [log] [assign-queue queue-id] [rate-limit rate burst-size] |
Mode | Ipv4-Access-List Config |
Note
An implicit deny all IP rule always terminates the access list.Note
For IPv4, the following are not supported for egress ACLs:The time-range parameter allows imposing time limitation on the IP ACL rule as defined by the specified time range. If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied immediately. If a time range with specified name exists and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, then the ACL rule is applied when the time-range with specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive. For information about configuring time ranges, see Time Range Commands for Time-Based ACLs.
The assign-queue parameter allows specification of a particular hardware queue for handling traffic that matches this rule. The allowed queue-id value is 0-(n-1), where n is the number of user configurable queues available for the hardware platform. The assign-queue parameter is valid only for a permit rule.
The permit command‘s optional attribute rate-limit allows you to permit only the allowed rate of traffic as per the configured rate in kbps, and burst-size in kbytes.
Parameter | Description |
---|---|
sequence-number | The sequence-number specifies the sequence
number for the ACL rule. The sequence number is specified by the
user or is generated by device. If a sequence number is not specified for the rule, a sequence number that is 10 greater than the last sequence number in ACL is used and this rule is placed at the end of the list. If this is the first ACL rule in the given ACL, a sequence number of 10 is assigned. If the calculated sequence number exceeds the maximum sequence number value, the ACL rule creation fails. A rule cannot be created that duplicates an already existing one and a rule cannot be configured with a sequence number that is already used for another rule. For example, if user adds new ACL rule to ACL without specifying a sequence number, it is placed at the bottom of the list. By changing the sequence number, the user can move the ACL rule to a different position in the ACL. |
{deny | permit} | Specifies whether the IP ACL rule permits or denies the matching traffic. |
every | Match every packet. |
{eigrp | gre | icmp | igmp | ip | ipinip | ospf | pim | tcp | udp | 0 -255} | Specifies the protocol to match for the IP ACL rule. |
srcip srcmask | any | host srcip | Specifies a source IP address and source
netmask to match for the IP ACL rule. Specifying “any” implies specifying srcip as “0.0.0.0” and srcmask as “255.255.255.255”. Specifying “host A.B.C.D” implies srcip as “A.B.C.D” and srcmask as “0.0.0.0”. |
[{range {portkey | startport} {portkey | endport} | {eq | neq | lt | gt} {portkey | 0-65535} ] | This option is available only if the protocol
is tcp or udp. Specifies the layer 4 port match condition for the IP ACL rule. Port number can be used, which ranges from 0-65535, or the portkey, which can be one of the following keywords:
|
dstip dstmask | any | host dstip | Specifies a destination IP address and
netmask for match condition of the IP ACL rule. Specifying any implies specifying dstip as 0.0.0.0 and dstmask as 255.255.255.255. Specifying host A.B.C.D implies dstip as A.B.C.D and dstmask as 0.0.0.0. |
[precedence precedence | tos tos [tosmask] | dscp dscp] | Specifies the TOS for an IP ACL rule
depending on a match of precedence or DSCP values using the
parameters dscp, precedence, tos/tosmask. tosmask is an optional parameter. |
flag [+fin | -fin] [+syn | -syn] [+rst | -rst] [+psh | -psh] [+ack | -ack] [+urg | -urg] [established] | Specifies that the IP ACL rule matches on the
tcp flags. When +tcpflagname is specified, a match occurs if the specified tcpflagname flag is set in the TCP header. When -tcpflagname is specified, a match occurs if the specified tcpflagname flag is NOT set in the TCP header. When established is specified, a match occurs if either the specified RST or ACK bits are set in the TCP header. Two rules are installed in hardware to when the established option is specified. This option is available only if protocol is tcp. |
[icmp-type icmp-type [icmp-code icmp-code] | icmp-message icmp-message] | This option is available only if the protocol is ICMP (Internet Control Message Protocol). Specifies a match condition for ICMP packets. When icmp-type is specified, IP ACL rule matches on the specified ICMP message type, a number from 0 to 255. When icmp-code is specified, IP ACL rule matches on the specified ICMP message code, a number from 0 to 255. Specifying icmp-message implies both icmp-type and icmp-code are specified. The following icmp-messages are supported: echo, echo-reply, host-redirect, mobile-redirect, net-redirect, net-unreachable, redirect, packet-too-big, port-unreachable, source-quench, router-solicitation, router-advertisement, time-exceeded, ttl-exceeded and unreachable. The ICMP message is decoded into corresponding ICMP type and ICMP code within that ICMP type. |
igmp-type igmp-type | This option is visible only if the protocol is IGMP (Internet Group Management Protocol). When igmp-type is specified, the IP ACL rule matches on the specified IGMP message type, a number from 0 to 255. |
fragments | Specifies that IP ACL rule matches on fragmented IP packets. |
ttl eq | Specifies that the IP ACL rule matches on packets with the specified Time To Live (TTL) value. |
log | Specifies that this rule is to be logged. |
time-range time-range-name | Allows imposing a time limitation on the ACL rule as defined by the parameter time-range-name. If a time range with the specified name does not exist and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, the ACL rule is applied immediately. If a time range with specified name exists and the ACL containing this ACL rule is applied to an interface or bound to a VLAN, the ACL rule is applied when the time-range with specified name becomes active. The ACL rule is removed when the time-range with specified name becomes inactive. |
assign-queue queue-id | Specifies the assign-queue, which is the queue identifier to which packets matching this rule are assigned. |
rate-limit rate burst-size | Specifies the allowed rate of traffic as per the configured rate in kbps, and burst-size in kbytes. |
The following shows an example of the command.
(Extreme 220) (Config) (Config)#ip access-list ip1 (Extreme 220) (Config-ipv4-acl)#permit icmp any any rate-limit 32 16 (Extreme 220) (Config-ipv4-acl)#exit