deny (ipv4-acl)

Creates a deny rule that rejects packets received from a specified source IP and/or addressed to a specified destination IP. You can also use this command to modify an existing deny rule.
Note

Note

Use a decimal value representation to implement a permit/deny designation for a packet. The command set for IP ACLs provides the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

deny [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp]
deny <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|
from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|
<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) 
{(rule-description <LINE>)}
deny dns-name [contains|exact|suffix]
deny dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>) 
{(rule-description <LINE>)}
deny icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] 
(<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}
deny ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] 
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}
deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp] 
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] 
[<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) 
{(rule-description <LINE>)}
deny [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq <SOURCE-PORT>|
host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|
ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] 
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}

Parameters

deny <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|
from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|
<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) 
{(rule-description <LINE>)}

<NETWORK-SERVICE-ALIAS-NAME>

Applies this deny rule to packets based on service protocols and ports specified in the network-service alias
  • <NETWORK-SERVICE-ALIAS-NAME> – Specify the network-service alias name (should be existing and configured).

A network-service alias defines service protocols and ports to match. When used with an ACL, the network-service alias defines the service-specific components of the ACL deny rule.

Note: For more information on configuring network-service alias, see alias.
<SOURCE-IP/MASK> Specifies the source IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified network are dropped.
<NETWORK-GROUP-ALIAS-NAME> Applies a network-group alias to identify the source IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, received from the addresses identified by the network-group alias are dropped.
  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

A network-group alias defines a single or a range of addresses of devices, hosts, and networks. When used with an ACL, the network-group alias defines the network-specific component of the ACL rule (permit/deny).

any

Specifies the source as any source IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from any source are dropped.
from-vlan <VLAN-ID> Specifies a single VLAN or a range of VLANs as the match criteria. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified VLAN(s) are dropped.
  • <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).
Note: Use this option with WLANs and port ACLs.
host <SOURCE-HOST-IP> Identifies a specific host (as the source to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are dropped.
  • <SOURCE-HOST-IP> – Specify the source host‘s exact IP address in the A.B.C.D format.
<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified network are dropped.

any

Specifies the destination as any destination IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to any destination are dropped.
host <DEST-HOST-IP> Identifies a specific host (as the destination to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified host are dropped.
  • <DEST-HOST-IP> – Specify the destination host‘s exact IP address in the A.B.C.D format.

<NETWORK-GROUP-ALIAS-NAME>

Applies a network-group alias to identify the destination IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, destined for the addresses identified by the network-group alias are dropped.

  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

log

Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. if any specified type of packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.
mark [8021p <0-7>| dscp <0-63>]

Specifies packets to mark

  • 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority

  • dscp <0-63> – Marks packets by modifying DSCP TOS bits in the header

rule-precedence <1-5000> rule-description <LINE>

The following keywords are recursive and common to all of the above parameters:

  • rule-precedence – Assigns a precedence for this deny rule

    • <1-5000> – Specify a value from 1 - 5000.

      Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
    • rule-description – Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

deny dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>) 
{(rule-description <LINE>)}
dns-name Applies this deny rule to packets based on dns-names specified in the network-service
contains Matches any hostname which has this DNS label. (for example, *.test.*)
exact Matches an exact hostname as specified in the network-service
syffix Matches any hostname as suffix (for example, *.test)
<WORD> Identifies a specific host (as the source to match) by its domain name. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are dropped.
log Logs all deny events matching this dns entry. If a dns-name is matched an event is logged.
rule-precedence <1-5000> rule-description <LINE> The following keywords are recursive and common to all of the above parameters:
  • rule-precedence – Assigns a precedence for this deny rule

    • <1-5000> – Specify a value from 1 - 5000.

      Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
    • rule-description – Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

deny icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-NAME>|any|host <DEST-HOST-IP>]
(<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}

icmp

Applies this deny rule to ICMP (Internet Control Message Protocol) packets only

<SOURCE-IP/MASK>

Specifies the source IP address and mask (A.B.C.D/M) to match. ICMP packets received from the specified sources are dropped.

<NETWORK-GROUP-ALIAS-NAME>

Applies a network-group alias to identify the source IP addresses. ICMP packets received from the addresses identified by the network-group alias are dropped.
  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

any

Specifies the source as any IP address. ICMP packets received from any source are dropped.

from-vlan <VLAN-ID>

Specifies a single VLAN or a range of VLANs as the match criteria. ICMP packets received from the VLANs identified here are dropped.
  • <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).
Note: Use this option with WLANs and port ACLs.
host <SOURCE-HOST-IP> Identifies a specific host (as the source to match) by its IP address. ICMP packets received from the specified host are dropped.
  • <SOURCE-HOST-IP> – Specify the source host‘s exact IP address in the A.B.C.D format.

<DEST-IP/MASK>

Specifies the destination IP address and mask (A.B.C.D/M) to match. ICMP packets addressed to specified destinations are dropped.

<NETWORK-GROUP-ALIAS-NAME>

Applies a network-group alias to identify the destination IP addresses. ICMP packets destined for addresses identified by the network-group alias are dropped.

  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

any

Specifies the destination as any IP address. ICMP packets addressed to any destination are dropped.

host <DEST-HOST-IP>

Identifies a specific host (as the destination to match) by its IP address. ICMP packets addressed to the specified host are dropped.
  • <DEST-HOST-IP> – Specify the destination host‘s exact IP address in the A.B.C.D format.

<ICMP-TYPE>

Defines the ICMP packet type

For example, an ICMP type 0 indicates it is an ECHO REPLY, and type 8 indicates it is an ECHO.

<ICMP-CODE>

Defines the ICMP message type

For example, an ICMP code 3 indicates "Destination Unreachable", code 1 indicates "Host Unreachable", and code 3 indicates "Port Unreachable."

Note: After specifying the source and destination IP address(es), the ICMP message type, and the ICMP code, specify the action taken in case of a match.

log

Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a ICMP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.

rule-precedence <1-5000> rule-description <LINE>

The following keywords are recursive and common to all of the above parameters:

  • rule-precedence – Assigns a precedence for this deny rule

    • <1-5000> – Specify a value from 1 - 5000.

      Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
    • rule-description – Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

deny ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] 
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}

ip

Applies this deny rule to IP packets only

<SOURCE-IP/MASK>

Specifies the source IP address and mask (A.B.C.D/M) to match. IP packets received from the specified networks are dropped.

<NETWORK-GROUP-ALIAS-NAME>

Applies a network-group alias to identify the source IP addresses. IP packets received from the addresses identified by the network-group alias are dropped.

  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

any

Specifies the source as any IP address. IP packets received from any source are dropped.

from-vlan <VLAN-ID>

Specifies a single VLAN or a range of VLANs as the match criteria. IP packets received from the specified VLANs are dropped.

  • <VLAN-ID> – Specify the VLAN ID. To configure a range of VLAN IDs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

host <SOURCE-HOST-IP>

Identifies a specific host (as the source to match) by its IP address. IP packets received from the specified host are dropped.

  • <SOURCE-HOST-IP> – Specify the source host‘s exact IP address in the A.B.C.D format.

<DEST-IP/MASK>

Specifies the destination IP address and mask (A.B.C.D/M) to match. IP packets addressed to the specified networks are dropped.

any

Specifies the destination as any IP address. IP packets addressed to any destination are dropped.

host <DEST-HOST-IP>

Identifies a specific host (as the destination to match) by its IP address. IP packets addressed to the specified host are dropped.

  • <DEST-HOST-IP> – Specify the destination host‘s exact IP address in the A.B.C.D format.

<NETWORK-GROUP-ALIAS-NAME>

Applies a network-group alias to identify the source IP addresses. IP packets destined for addresses identified by the network-group alias are dropped.

  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

log

Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a IP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.

rule-precedence <1-5000> rule-description <LINE>

The following keywords are recursive and common to all of the above parameters:

  • <1-5000> – Specify a value from 1 - 5000.

    Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
  • rule-description – Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp] 
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] 
[<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) 
{(rule-description <LINE>)}

proto

Configures the ACL for additional protocols

Additional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter

<PROTOCOL-NUMBER>

Filters protocols using their IANA (Internet Assigned Numbers Authority) protocol number

  • <PROTOCOL-NUMBER> – Specify the protocol number.

<PROTOCOL-NAME>

Filters protocols using their IANA protocol name

  • <PROTOCOL-NAME> – Specify the protocol name.

eigrp

Identifies the EIGRP (Enhanced Internet Gateway Routing Protocol) protocol (number 88)

EIGRP enables routers to maintain copies of neighbors‘ routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables.

gre

Identifies the GRE (General Routing Encapsulation) protocol (number 47)

GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination.

igmp

Identifies the IGMP (Internet Group Management Protocol) protocol (number 2)

IGMP establishes and maintains multicast group memberships to interested members. Multicasting allows a networked computer to send content to multiple computers who have registered to receive the content. IGMP snooping is for listening to IGMP traffic between an IGMP host and routers in the network to maintain a map of the links that require multicast streams. Multicast traffic is filtered out for those links which do not require them.

igp

Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9)

IGP enables exchange of information between hosts and routers within a managed network. The most commonly used IGP (interior gateway protocol) protocols are: RIP (Routing Information Protocol) and OSPF (Open Shortest Path First).

ospf

Identifies the OSPF protocol (number 89)

OSPF is a link-state IGP. OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.

vrrp

Identifies the VRRP (Virtual Router Redundancy Protocol) protocol (number 112)

VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.

<SOURCE-IP/MASK>

Specifies the source IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified sources are dropped.

<NETWORK-GROUP-ALIAS-NAME>

Applies a network-group alias to identify the source IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the sources defined in the network-group alias are dropped.

  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

any

Specifies the source as any IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are dropped.

from-vlan <VLAN-ID>

Specifies a single VLAN or a range of VLANs as the match criteria. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the VLANs identified here are dropped.

  • <VLAN-ID> – Specify the VLAN ID. A range of VLANs is represented by the start and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

host <SOURCE-HOST-IP>

Identifies a specific host (as the source to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are dropped.

  • <SOURCE-HOST-IP> – Specify the source host‘s exact IP address in the A.B.C.D format.

<DEST-IP/MASK>

Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified destinations are dropped.

any

Specifies the destination as any IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are dropped.

host <DEST-HOST-IP>

Identifies a specific host (as the destination to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addresses to the specified host are dropped.

  • <SOURCE-HOST-IP> – Specify the destination host‘s exact IP address in the A.B.C.D format.

<NETWORK-GROUP-ALIAS-NAME>

Applies a network-group alias to identify the destination IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the destinations identified in the network-group alias are dropped.

  • <NETWORK-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

Note: After specifying the source and destination IP address(es), specify the action taken in case of a match.

log

Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a packet (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) is received from a specified IP address and/or is destined for a specified IP address), an event is logged.

rule-precedence <1-5000> rule-description <LINE>

The following keywords are recursive and common to all of the above parameters:

  • rule-precedence – Assigns a precedence for this deny rule

    • <1-5000> – Specify a value from 1 - 5000.

      Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
    • rule-description – Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

deny [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq <SOURCE-PORT>|
host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|
ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] 
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}

tcp

Applies this deny rule to TCP packets only

udp

Applies this deny rule to UDP packets only

<SOURCE-IP/MASK>

This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Specifies the source IP address and mask (A.B.C.D/M) to match. TCP/UDP packets received from the specified sources are dropped.

<NETWORK-GROUP-ALIAS-NAME>

This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Applies a network-group alias to identify the source IP addresses. TCP/UDP packets received from the sources defined in the network-group alias are dropped.

  • <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name (should be existing and configured).

After specifying the source and destination IP address(es), specify the action taken in case of a match.

any

This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Specifies the source as any IP address. TCP/UDP packets received from any source are dropped.

from-vlan <VLAN-ID>

This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Specifies a single VLAN or a range of VLANs as the match criteria. TCP/UDP packets received from the VLANs identified here are dropped.

  • <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

host <SOURCE-HOST-IP>

Identifies a specific host (as the source to match) by its IP address. TCP/UDP packets received from the specified host are dropped.

  • <SOURCE-HOST-IP> – Specify the source host‘s exact IP address in the A.B.C.D format.

<DEST-IP/MASK>

This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Sets the destination IP address and mask (A.B.C.D/M) to match. TCP/UDP packets addressed to the specified destinations are dropped.

any

This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Specifies the destination as any destination IP address. TCP/UDP packets received from any destination are dropped.

eq <SOURCE-PORT>

Identifies a specific source port

  • <SOURCE-PORT> – Specify the exact source port.

host <DEST-HOST-IP>

Identifies a specific host (as the destination to match) by its IP address. TCP/UDP packets addressed to the specified host are dropped.

  • <DEST-HOST-IP> – Specify the destination host‘s exact IP address in the A.B.C.D format.

<NETWORK-GROUP-ALIAS-NAME>

This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Applies a network-group alias to identify the destination IP addresses. TCP/UDP packets destined to the addresses identified in the network-group alias are dropped.

  • <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name (should be existing and configured).

range <START-PORT> <END-PORT>

Specifies a range of source ports

  • <START-PORT> – Specify the first port in the range.

  • <END-PORT> – Specify the last port in the range.

eq [<1-65535>| <SERVICE-NAME>| |bgp|dns|ftp| ftp-data|gopher| https|ldap|nntp|ntp| pop3|sip|smtp| ssh|telnet| tftp|www]

Identifies a specific destination or protocol port to match

  • <1-65535> – The destination port is designated by its number

  • <SERVICE-NAME> – Specifies the service name

  • bgp – The designated BGP (Border Gateway Protocol) protocol port (179)

  • dns – The designated DNS (Domain Name System) protocol port (53)

  • ftp – The designated FTP (File Transfer Protocol) protocol port (21)

  • ftp-data – The designated FTP data port (20)

  • gropher – The designated GROPHER protocol port (70)

  • https – The designated HTTPS protocol port (443)

  • ldap – The designated LDAP (Lightweight Directory Access Protocol) protocol port (389)

  • nntp – The designated NNTP (Network News Transfer Protocol) protocol port (119)

  • ntp – The designated NTP (Network Time Protocol) protocol port (123)

  • pop3 – The designated POP3 protocol port (110)

  • sip – The designated SIP (Session Initiation Protocol) protocol port (5060)
  • smtp – The designated SMTP (Simple Mail Transfer Protocol) protocol port (25)

  • ssh – The designated SSH (Secure Shell) protocol port (22)

  • telnet – The designated Telnet protocol port (23)

  • tftp – The designated TFTP (Trivial File Transfer Protocol) protocol port (69)

  • www – The designated www protocol port (80)

range <START-PORT> <END-PORT>

Specifies a range of destination ports

  • <START-PORT> – Specify the first port in the range.

  • <END-PORT> – Specify the last port in the range.

log

Logs all deny events matching this entry. If a source and/or destination IP address or port is matched (i.e. a TCP/UDP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.

rule-precedence <1-5000> rule-description <LINE>

The following keywords are recursive and common to all of the above:

  • rule-precedence – Assigns a precedence for this deny rule

    • <1-5000> – Specify a value from 1 - 5000.

      Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
    • rule-description – Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

Usage Guidelines

Use this command to deny traffic between networks/hosts based on the protocol type selected in the access list configuration. The following protocols are supported:

  • IP

  • ICMP

  • TCP

  • UDP

  • PROTO (any Internet protocol other than TCP, UDP, and ICMP)

The last ACE (access control entry) in the access list is an implicit deny statement.

Whenever the interface receives the packet, its content is checked against the ACEs in the ACL. It is allowed or denied based on the ACL configuration.

  • Filtering TCP/UDP allows you to specify port numbers as filtering criteria.

  • Select ICMP as the protocol to allow or deny ICMP packets. Selecting ICMP filters ICMP packets based on ICMP type and code.

Note

Note

The log option is functional only for router ACL‘s. The log option displays an informational logging message about the packet that matches the entry sent to the console

Examples

nx9500-6C8809(config-ip-acl-test)#deny proto vrrp any any log rule-precedence 600
nx9500-6C8809(config-ip-acl-test)#deny proto ospf any any log rule-precedence 650
nx9500-6C8809(config-ip-acl-test)#show context
ip access-list test
 deny proto vrrp any any log rule-precedence 600
 deny proto ospf any any log rule-precedence 650
nx9500-6C8809(config-ip-acl-test)#

Using aliases in IP access list.

The following examples show the usage of network-group aliases:

Example 1.
rfs4000-229D58(config-ip-acl-bar)#permit ip $foo any rule-precedence 10
Example 2.
rfs4000-229D58(config-ip-acl-bar)#permit tcp 192.168.100.0/24 $foobar eq ftp rule-precedence 20
Example 3.
rfs4000-229D58(config-ip-acl-bar)#deny ip $guest  $lab rule-precedence 30
  • In example 1, network-group alias $foo is used as a source.
  • In example 2, network-group alias $foobar is used as a destination.
  • In example 3, network-group aliases $guest and $lab are used as source and destination respectively.

The following examples show the usage of network-service aliases:

Example 4.
rfs4000-229D58(config-ip-acl-bar)# permit $kerberos 10.60.20.0/24 $kerberos-servers log rule-precedence 40
Example 5.
rfs4000-229D58(config-ip-acl-bar)#permit $Tandem 10.60.20.0/24 $Tandem-servers log rule-precedence 50
In examples 4, and 5:
  • The network-service aliases ($kerberos and $Tandem) define the destination protocol-port combinations.
  • The source network is 10.60.20.0/24.
  • The destination network-address combinations are defined by the network-group aliases ($kerberos-servers and $Tandem-servers).

Related Commands

no (ipv4-acl)

Removes a specified IP deny access rule

alias

Creates and configures aliases (network, VLAN, service, etc.)