This section provides details for the configuration of ACLs on the 7100-Series product.
Creating and Managing IPv4 and IPv6 ACLs describes how to create an IPv4 ACL and manage IPv4 ACLs at the ACL level.
Creating and Managing IPv4 and IPv6 ACLs
| Step | Task | Command(s) |
|---|---|---|
| 1 | In global configuration command mode, create a standard or extended IPv4 or IPv6 ACL, or enter IPv4 or IPv6 ACL configuration mode for an already existing ACL. | ipv4 access-list {standard | extended} {access-list-number | name} ipv6 access-list {standard | extended} name |
| 2 | In global configuration command mode, optionally, copy a preexisting IPv4 or IPv6 ACL to a non-existing IPv4 or IPv6 ACL. | ipv4 ip access-list {standard | extended} {access-list-number | name} copy to {access-list-number | name} ipv6 ip access-list {standard | extended} name copy to name |
| 3 | In global configuration command mode, optionally, append a preexisting IPv4 or IPv6 ACL to another preexisting IPv4 or IPv6 ACL. | ipv4 ip access-list {standard | extended} {access-list-number | name} append to {access-list-number | name} ipv6 ip access-list {standard | extended} name append to name |
| 4 | In global configuration command mode, optionally, check the efficiency of an IPv4 or IPv6 ACL. | ipv4 ip access-list {standard | extended} {access-list-number | name} check ipv6 ip access-list {standard | extended} name check |
Entering and Managing Standard IPv4 ACL Rules describes how to enter and manage standard ACL rules.
Entering and Managing Standard IPv4 ACL Rules
| Step | Task | Command(s) |
|---|---|---|
| 1 | In IPv4 ACL configuration command mode, optionally, create a standard IPv4 ACL deny rule entry. | deny {source source-wildcard | any | host ip-address]} [log | log-verbose] |
| 2 | In IPv4 ACL configuration command mode, optionally, insert a new standard IPv4 ACL rule entry before the specified preexisting entry for this standard ACL. | insert before entry {remark “text” | {permit | deny} {source source-wildcard | any | host ip-address} [log | log-verbose]} |
| 3 | In IPv4 ACL configuration command mode, optionally, replace the specified standard ACL entry with the specified new entry. | replace entry {remark “text” | deny {source [source-wildcard] | any | host ip-address] | permit {source [source-wildcard] | any | host ip-address]} |
Entering and Managing Standard IPv6 ACL Rules describes how to enter and manage standard ACL rules.
Entering and Managing Standard IPv6 ACL Rules
| Step | Task | Command(s) |
|---|---|---|
| 1 | In IPv6 ACL configuration command mode, optionally, create a standard IPv6 ACL permit rule entry. | permit {source-address/length | any | host ip-address]} [log | log-verbose] |
| 2 | In IPv6 ACL configuration command mode, optionally, create a standard IPv6 ACL deny rule entry. | deny {source-address/length | any | host ip-address]} [log | log-verbose] |
| 3 | In IPv6 ACL configuration command mode, optionally, insert a new standard IPv6 ACL rule entry before the specified preexisting entry for this standard ACL. | insert before entry {remark “text” | {permit | deny}} {source-address/length | any | host ip-address]} [log | log-verbose] |
| 4 | In IPv6 ACL configuration command mode, optionally, replace the specified standard ACL entry with the specified new entry. | replace entry {remark “text” | {permit | deny}} {source-address/length | any | host ip-address]} [log | log-verbose] |
Entering and Managing Extended IPv4 ACL Rules describes how to enter and manage extended IPv4 ACL rules.
Entering and Managing Extended IPv4 ACL Rules
| Step | Task | Command(s) |
|---|---|---|
| 1 | In IPv4 ACL configuration command mode, optionally, create an extended IPv4 ACL permit rule entry. | permit {protocol-num | ip |
esp | gre} {source source-wildcard | any | host
ip-address} {destination destination-host
wildcard | any | host
ip-address} [dscp
code] [precedence
value] [tos
value] [log
| log-verbose] permit tcp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [precedence value] [tos value] [log | log-verbose] |
| permit udp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [precedence value] [tos value] [log | log-verbose] permit icmp {source source-wildcard | any | host ip-address} {destination destination-host wildcard | any | host ip-address} [msg icmp-msg] [dscp code] [precedence value] [tos value] [log | log-verbose] |
||
| 2 | In IPv4 ACL configuration command mode, optionally, create an extended IPv4 ACL deny rule entry. | deny {protocol-num | ip |
| esp | gre} {source source-wildcard | any | host
ip-address} {destination destination-host
wildcard | any | host
ip-address} [dscp
code] [precedence
value] [tos
value] [log
| log-verbose] deny tcp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [precedence value] [tos value] [log | log-verbose] deny udp {source source-wildcard | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination destination-host wildcard | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [precedence value] [tos value] [log | log-verbose] deny icmp {source source-wildcard | any | host ip-address} {destination destination-host wildcard | any | host ip-address} [msg icmp-msg] [dscp code] [precedence value] [tos value] [log | log-verbose] |
| 3 | In IPv4 ACL configuration command mode, optionally, insert a new extended IPv4 ACL rule entry before the specified preexisting entry for this extended ACL. See the appropriate command syntax when entering a deny or permit rule to be inserted. | insert before entry {remark “text” | deny-syntax | permit-syntax} |
| 4 | In IPv4 ACL configuration command mode, optionally, replace the specified extended IPv4 ACL entry with the specified new entry. See the appropriate command syntax when entering a deny or permit rule to be replaced. | replace entry {remark “text” | deny-syntax | permit-syntax} |
Entering and Managing Extended IPv6 ACL Rules describes how to enter and manage extended IPv6 ACL rules.
Entering and Managing Extended IPv6 ACL Rules
| Step | Task | Command(s) |
|---|---|---|
| 1 | In IPv6 ACL configuration command mode, optionally, create an extended IPv6 ACL permit rule entry. | permit {protocol-num | ipv6
| esp | gre} {source-address/length | any | host
ip-address} {destination-address/length | any
| host
ip-address} [dscp
code] [traffic-class
value] [flow-label
value] [log
| log-verbose] [routing] [routing-type
type] [mobility] [mobility-type
type] permit tcp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] permit udp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] |
| 1 | permit icmpv6 {source-address/length | any | host ip-address} {destination-address/length | any | host ip-address} [icmpv6-type [icmpv6-code] | msg icmpv6-msg] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] | |
| 2 | deny {protocol-num | ipv6
| esp | gre} {source-address/length | any | host
ip-address} {destination-address/length |
any | host
ip-address} [dscp
code] [traffic-class
value] [flow-label
value] [log
| log-verbose] [routing] [routing-type
type] [mobility] [mobility-type
type] deny tcp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [established] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] |
|
| 3 | In IPv6 ACL configuration command mode, optionally, create an extended IPv6 ACL deny rule entry. | deny udp {source-address/length | any | host ip-address} [{eq | neq | gt | lt} source-port] [range start-port end-port] {destination-address/length | any | host ip-address} [{eq | neq | gt | lt} dest-port] [range start-port end-port] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] deny icmpv6 {source-address/length | any | host ip-address} {destination-address/length | any | host ip-address} [icmpv6-type [icmpv6-code] | msg icmpv6-msg] [dscp code] [traffic-class value] [flow-label value] [log | log-verbose] [routing] [routing-type type] [mobility] [mobility-type type] |
| 4 | In IPv6 ACL configuration command mode, optionally, insert a new extended IPv6 ACL rule entry before the specified preexisting entry for this extended ACL. See the appropriate command syntax when entering a deny or permit rule to be inserted. | insert before entry {remark “text” | deny-syntax | permit-syntax} |
| 5 | In IPv6 ACL configuration command mode, optionally, replace the specified extended IPv6 ACL entry with the specified new entry. See the appropriate command syntax when entering a deny or permit rule to be replaced. | replace entry {remark “text” | deny-syntax | permit-syntax} |
Managing IPv4 and IPv6 ACL Rules describes how to manage ACL rules.
Managing IPv4 and IPv6 ACL Rules
| Step | Task | Command(s) |
|---|---|---|
| 1 | In IPv4 or IPv6 ACL configuration command mode, optionally, enable logging for the specified rule, the final implicit deny rule, or all rules. | log [entry] [implicit] [all] |
| 2 | In IPv4 or IPv6 ACL configuration command mode, optionally, delete a preexisting ACL rule entry. | delete {entry | from entry to entry} |
| 3 | In IPv4 or IPv6 ACL configuration command mode, optionally, move a preexisting ACL entry before the specified entry or range of entries. | move before entry from entry to entry |
| 4 | In IPv4 or IPv6 ACL configuration command mode, optionally, enter a text comment as the next ACL entry. | remark “text” |
Applying and Displaying ACLs describes how to apply and display ACLs.
Applying and Displaying ACLs
| Step | Task | Command(s) |
|---|---|---|
| 1 | In interface configuration command mode, apply an ACL to a routing interface specifying the whether the ACL applies to inbound or outbound frames. | ipv4 access-group {access-list-number | name} {in | out} ipv6 access-group access-list-name {in | out} |
| 2 | In configuration command mode, apply an ACL to the host services for this device. | ipv4 host-access {access-list-number | name} ipv6 host-access name |
| 3 | In any command mode, optionally, display ACL configuration. | show access-lists [access-list-number | name] [from start-range to end-range]] [brief] |
| 4 | In any command mode, optionally, display applied ACLs. | show access-lists applied [host | interfaces [vlan | inbound | outbound | in-and-out]] |
| 5 | In any command mode, optionally, clear ACL display counters. | clear access-lists counters [{access-list-number | name} | applied [host | interfaces [vlan vlan-id] [inbound | outbound | in-and-out]] |
Print
this page
Email this topic
Feedback
View PDF
Download EPUB