seq (ip access-list
rules)
Inserts or removes filtering rules in
IPv4 access control lists (ACLs).
Syntax
seq
{
1-4095
}
[
permit
|
deny
]
[
tcp
|
udp
|
icmp
|
igmp
|
ip
|esp
|
1-254
]
|
[
vxlan
|
nvgre
|
gre
|
ipip
|gtpc
|
gtpu
]
{
1-4294967295
}
[
src-ip
|
prefix-length
|
src-ip
src-mask
]
[
dst-ip
|
prefix-length
|
dst-ip
dst-mask
]
{
sport
1-65535}
{
dport
1-65535
}
{sport-end
1-65535
}
{
dport-end
1-65535
}
{
dscp
1-63
}
{
length
64-9000
|
length-end
65-9000
}
{
push
}
{
sync
}
{
ack
}
{
fin
}
{
urg
}
{
cwr
}
{
ece
}
{
reset
}
{{
{
morefragment
|
dontfragment
}}
{
vlan
0-4095}
{
count
}
{
log
}
{
qos-forwarding-group
group-name
}
Parameters
- seq
ID
- Specifies the sequence ID for the rule. This
parameter is optional. Valid values range from 1 through 4095 and the value
must be unique within the selected IP ACL. If the value is not specified, a
non-assigned value starting from 10 with an increment of 10 is
assigned.
- permit
|deny
- Specifies the forwarding
action for the matching traffic.
- tcp|udp
|
icmp
|igmp
|
ip
|
esp
- Specifies the numerical
protocol type of the traffic for non-tunneled packets.
- number
- Specifies the custom protocol
number to be matched. Valid values range from 1 through 254.
- push
|sync
|
ack
|fin
|urg
|cwr
|
ece
|
reset
- Specifies the TCP protocol
configuration. (Valid for only the TCP protocol.)
- vxlan
|nvgre
|
gre
|
ipip
|
gtpc
|
gtpu
- Specifies the tunnel types
supported for tunneled traffic.
- For tunnel types, IP address
and masks are mapped to the outer header. Valid values range from 1 through
4294967295.
- VXLAN and NVGRE
tunnels allow VNID or VSID values in the range of 1 through
16777215.
- GTP-U and GTP-C
tunnels allow tunnel ID values in the range of 1 through 4294967295.
- src-ip
|
prefix-length
|
src-mask
|
dst-ip
|
prefix-length
|
dst-mask
- Specifies the source IP address, the source
IP mask, the destination IP address, and destination IP address mask of the
traffic.
- IP addresses and masks
display in a dot-separated, decimal format.
- Instead of using the IP
address mask, the subnet prefix length can be specified with the source IP
address and the destination IP address keywords.
- length
|length-end
- Specifies the length of the
IPv4 packets. The valid value range is 64 through 9000.
- The length range, and length
end parameters are provided to match based on range. Valid ranges are from
65 through 9000.
- When specifying range, the
length value is mandatory.
- Specifying length end alone
is not valid. Length must be less than the length end.
- sport
|
sport-end
- Specifies the sport source
port value. The valid value range is 1 through 65535.
- The source port range and
parameters are provided to match on range.
- When specifying range, the
source port value is mandatory.
- Specifying source port end
alone is not valid.
- The source port value must be
less than the source port end.
- dport
|dport-end
- Specifies the destination
port and the destination port end. Valid values range from 1 through
65535.
- When specifying a match based
on the range, destination port range, and destination port parameters are
provided.
- When specifying range, the
destination port value is mandatory.
- Specifying destination end
alone is not valid.
- The destination port value
must be less than the destination port end.
- count
- Enables counters for the
rule.
- log
- Enables the system log
(syslog) for the rule.
- dscp
- Specifies the type of service
field for IPv4 protocol. The valid value ranges are through 1 to 63.
- vlan
vlan-ID
- Specifies the VLAN ID. The
valid values ranges are from 0 to 4095.
- morefragment
|
dontfragment
- Specifies the fragment
parameters.
- qos-forwarding-group
group-name
- Specifies the name of the
Quality of Service (QoS) forwarding group.
Usage Guidelines
GRE tunnel-type:
- Version-1 packets are not
filtered with this setting.
- Version-0 packets are
filtered successfully with this setting when checksum, key, or sequence
number are not configured.
GTP-U tunnel type:
- Packets with outer IP and UDP
port settings (ACL configured with the IP address and the combination of
source port and destination port) are not forwarded to the egress.
The IPv4 address and IPv4 mask must be configured in dotted-decimal notation.
Duplicate ACL rules are not allowed.
Conflicting ACL rules (rules with same match condition and different forwarding
action) are not allowed.
The following specified length limitation applies to the specified port end and
destination port end range length configuration.
Important
If you configure
an IPv4 or an IPv6 ACL rule to match a specific IP length and also configure an
IPv4 or IPv6 ACL with an overlapping IP length range, then the rule with
specific length will not work.
IPvn rules
configured with specified lengths that overlap IPvn length-range
configurations fail silently.
Example 1. The IPv6 ACL rule in
this example will not work because the rule with a specific length (bold font) overlaps
the configured IP ACL range from 100 through 200. The rule with the
overlapping specified length fails
silently.
ip access-list v4acl
seq 10 permit ip any 1.0.0.1 255.255.255.0 length 100 length-end 200
ipv6 access-list v6acl
seq 10 permit ipv6 any bbbb::bbbb ffff::ffff length 150
Example
2. The IPv6 ACL rule (bold
font) in this example will not work because the rule with a specific
length overlaps the range from 100 through 200. The rule with the
overlapping specified length fails
silently.
ipv6 access-list v6acl
seq 10 permit ipv6 any aaaa::aaaa ffff::ffff length 100 length-end 200
seq 20 permit ipv6 any bbbb::bbbb ffff::ffff length 150
Example
3. This IPv6 ACL rule example will not work because in this configuration,
because the rule with a specific length (bold font) overlaps
the range from 100 through 200. The rule with the overlapping specified
length fails
silently.
ipv6 access-list v6acl-1
seq 10 permit ipv6 any aaaa::aaaa ffff::ffff length 100 length-end 200
ipv6 access-list v6acl-2
seq 10 permit ipv6 any bbbb::bbbb ffff::ffff length 150
Examples
The following example configures seq 1 for IP access
list P4.
device# configure terminal
device(config)#ip access-list P4
device(config-ip-acl)# seq 1 permit udp
1.1.1.1 255.0.0.0 2.2.2.2 255.0.0.0 dontfragment
device# show running-config access-list
ip access-list ip-acl
seq 20 permit ip 10.0.0.1 255.0.0.0 20.0.0.2 255.0.0.0
device# show running-config ip access-list ip-acl
ip access-list ip-acl
seq 20 permit ip 10.0.0.1 255.0.0.0 20.0.0.2 255.0.0.0
device# show running-config ip access-list all
ip access-list ip-acl
seq 20 permit ip 10.0.0.1 255.0.0.0 20.0.0.2 255.0.0.0
The following example deletes seq 1.
device(config-mac-acl)# no seq 1