This section provides details for the configuration of ACLs on the 7100-Series product.
Creating and Managing IPv4 and IPv6 ACLs describes how to create an IPv4 ACL and manage IPv4 ACLs at the ACL level.
Step | Task | Command(s) |
---|---|---|
1 | In global configuration command mode, create a standard or extended IPv4 or IPv6 ACL, or enter IPv4 or IPv6 ACL configuration mode for an already existing ACL. | ipv4 access-list {standard | extended} {access-list-number | name} ipv6 access-list {standard | extended} name |
2 | In global configuration command mode, optionally, copy a preexisting IPv4 or IPv6 ACL to a non-existing IPv4 or IPv6 ACL. | ipv4 ip access-list {standard | extended} {access-list-number | name} copy to {access-list-number | name} ipv6 ip access-list {standard | extended} name copy to name |
3 | In global configuration command mode, optionally, append a preexisting IPv4 or IPv6 ACL to another preexisting IPv4 or IPv6 ACL. | ipv4 ip access-list {standard | extended} {access-list-number | name} append to {access-list-number | name} ipv6 ip access-list {standard | extended} name append to name |
4 | In global configuration command mode, optionally, check the efficiency of an IPv4 or IPv6 ACL. | ipv4 ip access-list {standard | extended} {access-list-number | name} check ipv6 ip access-list {standard | extended} name check |
Entering and Managing Standard IPv4 ACL Rules describes how to enter and manage standard ACL rules.
Step | Task | Command(s) |
---|---|---|
1 | In IPv4 ACL configuration command mode, optionally, create a standard IPv4 ACL deny rule entry. | deny {source source-wildcard | any | host ip-address]} [log | log-verbose] |
2 | In IPv4 ACL configuration command mode, optionally, insert a new standard IPv4 ACL rule entry before the specified preexisting entry for this standard ACL. | insert before entry {remark “text” | {permit | deny} {source source-wildcard | any | host ip-address} [log | log-verbose]} |
3 | In IPv4 ACL configuration command mode, optionally, replace the specified standard ACL entry with the specified new entry. | replace entry {remark “text” | deny {source [source-wildcard] | any | host ip-address] | permit {source [source-wildcard] | any | host ip-address]} |
Entering and Managing Standard IPv6 ACL Rules describes how to enter and manage standard ACL rules.
Step | Task | Command(s) |
---|---|---|
1 | In IPv6 ACL configuration command mode, optionally, create a standard IPv6 ACL permit rule entry. | permit {source-address/length | any | host ip-address]} [log | log-verbose] |
2 | In IPv6 ACL configuration command mode, optionally, create a standard IPv6 ACL deny rule entry. | deny {source-address/length | any | host ip-address]} [log | log-verbose] |
3 | In IPv6 ACL configuration command mode, optionally, insert a new standard IPv6 ACL rule entry before the specified preexisting entry for this standard ACL. | insert before entry {remark “text” | {permit | deny}} {source-address/length | any | host ip-address]} [log | log-verbose] |
4 | In IPv6 ACL configuration command mode, optionally, replace the specified standard ACL entry with the specified new entry. | replace entry {remark “text” | {permit | deny}} {source-address/length | any | host ip-address]} [log | log-verbose] |
Entering and Managing Extended IPv4 ACL Rules describes how to enter and manage extended IPv4 ACL rules.
Step | Task | Command(s) |
---|---|---|
1 | In IPv4 ACL configuration command mode, optionally, create an extended IPv4 ACL permit rule entry. | permit {protocol-num | ip |
esp | gre} {source source-wildcard | any | host
ip-address} {destination destination-host
wildcard | any | host
ip-address} [dscp
code] [precedence
value] [tos
value] [log
| log-verbose] permit tcp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [precedence value] [tos value] [log | log-verbose] |
permit udp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [precedence value] [tos value] [log | log-verbose] permit icmp {source source-wildcard | any | host ip-address} {destination destination-host wildcard | any | host ip-address} [msg icmp-msg] [dscp code] [precedence value] [tos value] [log | log-verbose] |
||
2 | In IPv4 ACL configuration command mode, optionally, create an extended IPv4 ACL deny rule entry. | deny {protocol-num | ip |
| esp | gre} {source source-wildcard | any | host
ip-address} {destination destination-host
wildcard | any | host
ip-address} [dscp
code] [precedence
value] [tos
value] [log
| log-verbose] deny tcp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [precedence value] [tos value] [log | log-verbose] deny udp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [precedence value] [tos value] [log | log-verbose] deny icmp {source source-wildcard | any | host ip-address} {destination destination-host wildcard | any | host ip-address} [msg icmp-msg] [dscp code] [precedence value] [tos value] [log | log-verbose] |
3 | In IPv4 ACL configuration command mode, optionally, insert a new extended IPv4 ACL rule entry before the specified preexisting entry for this extended ACL. See the appropriate command syntax when entering a deny or permit rule to be inserted. | insert before entry {remark “text” | deny-syntax | permit-syntax} |
4 | In IPv4 ACL configuration command mode, optionally, replace the specified extended IPv4 ACL entry with the specified new entry. See the appropriate command syntax when entering a deny or permit rule to be replaced. | replace entry {remark “text” | deny-syntax | permit-syntax} |
Entering and Managing Extended IPv6 ACL Rules describes how to enter and manage extended IPv6 ACL rules.
Step | Task | Command(s) |
---|---|---|
1 | In IPv6 ACL configuration command mode, optionally, create an extended IPv6 ACL permit rule entry. | permit {protocol-num | ipv6
| esp | gre} {source-address/length | any | host
ip-address} {destination-address/length | any
| host
ip-address} [dscp
code] [traffic-class
value] [flow-label
value] [log
| log-verbose] [routing] [routing-type
type] [mobility] [mobility-type
type] permit tcp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] permit udp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] |
1 | permit icmpv6 {source-address/length | any | host ip-address} {destination-address/length | any | host ip-address} [icmpv6-type [icmpv6-code] | msg icmpv6-msg] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] | |
2 | deny {protocol-num | ipv6
| esp | gre} {source-address/length | any | host
ip-address} {destination-address/length |
any | host
ip-address} [dscp
code] [traffic-class
value] [flow-label
value] [log
| log-verbose] [routing] [routing-type
type] [mobility] [mobility-type
type] deny tcp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] |
|
3 | In IPv6 ACL configuration command mode, optionally, create an extended IPv6 ACL deny rule entry. | deny udp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] deny icmpv6 {source-address/length | any | host ip-address} {destination-address/length | any | host ip-address} [icmpv6-type [icmpv6-code] | msg icmpv6-msg] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] |
4 | In IPv6 ACL configuration command mode, optionally, insert a new extended IPv6 ACL rule entry before the specified preexisting entry for this extended ACL. See the appropriate command syntax when entering a deny or permit rule to be inserted. | insert before entry {remark “text” | deny-syntax | permit-syntax} |
5 | In IPv6 ACL configuration command mode, optionally, replace the specified extended IPv6 ACL entry with the specified new entry. See the appropriate command syntax when entering a deny or permit rule to be replaced. | replace entry {remark “text” | deny-syntax | permit-syntax} |
Managing IPv4 and IPv6 ACL Rules describes how to manage ACL rules.
Step | Task | Command(s) |
---|---|---|
1 | In IPv4 or IPv6 ACL configuration command mode, optionally, enable logging for the specified rule, the final implicit deny rule, or all rules. | log [entry] [implicit] [all] |
2 | In IPv4 or IPv6 ACL configuration command mode, optionally, delete a preexisting ACL rule entry. | delete {entry | from entry to entry} |
3 | In IPv4 or IPv6 ACL configuration command mode, optionally, move a preexisting ACL entry before the specified entry or range of entries. | move before entry from entry to entry |
4 | In IPv4 or IPv6 ACL configuration command mode, optionally, enter a text comment as the next ACL entry. | remark “text” |
Applying and Displaying ACLs describes how to apply and display ACLs.
Step | Task | Command(s) |
---|---|---|
1 | In interface configuration command mode, apply an ACL to a routing interface specifying the whether the ACL applies to inbound or outbound frames. | ipv4 access-group {access-list-number | name} {in | out} ipv6 access-group access-list-name {in | out} |
2 | In configuration command mode, apply an ACL to the host services for this device. | ipv4 host-access {access-list-number | name} ipv6 host-access name |
3 | In any command mode, optionally, display ACL configuration. | show access-lists [access-list-number | name] [from start-range to end-range]] [brief] |
4 | In any command mode, optionally, display applied ACLs. | show access-lists applied [host | interfaces [vlan | inbound | outbound | in-and-out]] |
5 | In any command mode, optionally, clear ACL display counters. | clear access-lists counters [{access-list-number | name} | applied [host | interfaces [vlan vlan-id] [inbound | outbound | in-and-out]] |