permit

Use this command to create a permit access list rule entry.

Syntax

Standard IP Access List:

permit {source source-wildcard | any | host ip-address]} [log | log-verbose]

Extended and Policy IP Access List:

permit {protocol-num | ip | esp | gre} {source source-wildcard | any | host ip-address} {destination destination-host wildcard | any | host ip-address} [dscp code] [precedence value] [tos value] [log | log-verbose] set-dscp value

permit tcp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [precedence value] [tos value] [log | log-verbose] set-dscp value

permit udp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [precedence value] [tos value] [log | log-verbose] set-dscp value

permit icmp {source source-wildcard | any | host ip-address} {destination destination-host wildcard | any | host ip-address} [msg icmp-msg] [dscp code] [precedence value] [tos value] [log | log-verbose] set-dscp value

Parameters

`protocol-num`	Specifies an IPv4 protocol for which to permit access. Valid values are protocol numbers from 0 - 255.
ip	Specifies any IPv4 protocol (0 - 255)
esp	Specifies the Encapsulation Security Payload protocol
gre	Specifies the Generic Router Encapsulation protocol
tcp	Specifies the Transmission Control Protocol
udp	Specifies the User Datagram Protocol
icmp	Specifies the IP Internet Control Message Protocol
`source`	Specifies the IPv4 address of the network or host from which the packet will be sent.
`source-wildcard`	Specifies the bits to ignore in the source address.
`destination`	Specifies the IPv4 address of the network or host to which the packet will be sent.
`destination-wildcard`	Specifies the bits to ignore in the destination address.
any	Specifies that any source or destination (extended access list only) address applies to this rule entry.
host `ip-address`	Specifies a specific host address that will be applied to this rule entry.
msg `icmp-msg`	(Optional) Specifies a single ICMP message type by entering a keyword. Supported message type keywords are provided in ICMP Message Types.
eq \| neq \| gt \| lt {`source-port` \| `dest-port`}	(Optional) Specifies that a source or destination port is permitted. The meaning of the keywords are: eq - permits the specified source or destination port gt - permits source or destination ports greater than the value specified lt - permits source or destination ports less than the value specified neq - permits source or destination ports that are not equal to the value specified
range `start-port` `end-port`	(Optional) Specifies a range of source or destination ports permitted.
established	(Optional) Specifies that only established TCP connections are permitted. A match is made if ACK or RST bits are set.
dscp `code`	(Optional) Specifies a DiffServe Code Point (DSCP) value to match against this packet‘s DSCP code. Valid values are 0 - 63, or one of the following keywords: af11, af12, af13, af21, af22, af23, af31, af32, af33, af41, af42, af43, af44, – Assured Forwarding be – best effort cs1 - cs7 – Class Selector ef – Expedited Forwarding
precedence `value`	(Optional) Specifies an IP Precedence value. Valid values are 0 - 7, or in order from high to low: critical, flash, flash-override, immediate, internet, network, priority, routine.
tos `value`	(Optional) Specifies a Type of Service (ToS) value. Valid values are 0 - 15, or max-reliability, max-throughput, min-delay, min-monetary-cost, normal.
log \| log-verbose	(Optional) Enables syslog or verbose syslog messaging for an ACL rule hit.
set-dscp `value`	A mandatory policy access list only parameter that specifies the DSCP value to be set for the packet when a match for this rule occurs.

Defaults

If the msg option is not specified for an ICMP rule, all ICMP message types are permitted.
If the log or log-verbose options are not specified, syslog messaging does not occur for an ACL rule hit.
If DSCP code is not specified, none is applied to the permit entry.
If a precedence value is not specified, none is applied to the permit entry.
If a ToS value is not specified, none is applied to the permit entry.

Mode

Configuration command, standard or extended access list configuration.

Usage

Entering any IPv4 protocol number will configure the permit entry for the specified protocol, but will limit configurable parameters to the list in the protocol-num syntax. Specifying the tcp, udp, or icmp keywords will provide the extended parameter set listed in the syntax for these keywords.

Access list logging is throttled to 1 log message per second. If there are multiple access list rules with logging enabled (log or log-verbose), and more then one frame is transmitted per second that can hit those rules, only the first frame will generate a message. Logging is sampling and does not report every time that a rule with logging enabled is hit.

Source and destination wildcard provides an inverted mask (specifies the don‘t care bits as 1s). 0.0.0.0 specifies an exact match.

The any option is short-hand for 0.0.0.0 255.255.255.255.

The set-dscp parameter is only used and is mandatory in a policy access list. All other extended and policy parameters are used in both extended and policy IP access lists.

ICMP Message Types contains supported ICMP message types with message codes and descriptions.

ICMP Message Types

Message Type	Message Code and Description
information-reply	(16,0) Information replies
information-request	(15,0) Information requests
ipv6-i-am-here	(34,0) IPv6 I Am Here
ipv6-where-are-you	(33,0) IPv6 Where are you
mask-reply	(18,0) Mask replies
mask-request	(17,0) Mask requests
mobile-redirect	(32,0) Mobile host redirect
mobile-reg-reply	(36,0) Mobile registration reply
mobile-reg-request	(35,0) Mobile registration request
net-redirect	(5,0) Network redirect
net-tos-redirect	(5,2) Net redirect for TOS
net-tos-unreachable	(3,11) Network unreachable for TOS
net-unreachable	(3,0) Net unreachable
network-unknown	(3,6) Network unknown
no-room-for-option	(12,2) Parameter required but no room
option-missing	(12,1) Parameter required but not present
packet-too-big	(3,4) Fragmentation needed and DF set
parameter-problem	(12,0) Parameter problem indicated
port-unreachable	(3,3) Port unreachable
precedence-unreachable	(3,15) Precedence cutoff
protocol-unreachable	(3,20) Protocol unreachable
reassembly-timeout	(11,1) Reassembly timeout
router-advertisement	(9,0) Router discovery advertisements
router-solicitation	(10,0) Router discovery solicitations
source-quench	(4,0) Source quenches
source-route-failed	(3,5) Source route failed
timestamp-reply	(14,0) Timestamp replies
timestamp-request	(13,0) Timestamp requests
traceroute	(30,0) Traceroute
ttl-exceeded	(11,0) Time-to-live exceeded

Examples

This example enters configuration mode for standard access list 2 and configures a permit entry for source address 10.0.0.1 with a source wildcard of 0.0.255.255:

System(rw-config)->ip access-list standard 2
System(rw-cfg-std-acl)->permit 10.0.0.1 0.0.255.255
System(rw-cfg-std-acl)->

This example enters configuration mode for extended access list 120 and configures a permit entry for the IP protocol with a source address 20.0.0.1 and source wildcard of 0.0.255.255 and a destination address of any:

System(rw-config)->ip access-list extended 120
System(rw-cfg-ext-acl)->permit ip 20.0.0.1 0.0.255.255 any
System(rw-cfg-ext-acl)->

This example enters configuration mode for extended access list 130 and configures a permit entry for the ICMP protocol with a source network address of 120.50.0.1 and source wildcard of 0.0.255.255 and a destination address of 120.60.0.1 and destination wildcard of 0.0.255.255 and a router advertisement ICMP message type:

System(rw-config)->ip access-list extended 130
System(rw-cfg-ext-acl)->>permit icmp 120.50.0.1 0.0.255.255 120.60.0.1 0.0.255.255 msg router-advertisement
System(rw-cfg-ext-acl)-

Published May 2016prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback