permit (ipv4-acl)

Creates a permit rule that marks packets (from a specified source IP and/or to a specified destination IP) for forwarding. You can also use this command to modify an existing permit rule.

Note

Note

Use a decimal value representation to implement a permit/deny designation for a packet. The command set for IP ACLs provides the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType.

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

permit [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp]
permit <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|
any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|
<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) 
{(rule-description <LINE>)}
permit dns-name [contains|exact|suffix]permit dns-name [contains|exact|suffix]
permit dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>) 
{(rule-description <LINE>)}
permit dns-name exact <WORD> (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) 
{(rule-description <LINE>)}
permit icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] 
(<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}
permit ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] 
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}
permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp] 
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] 
[<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) 
{(rule-description <LINE>)}
permit [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq <SOURCE-PORT>|host <DEST-HOST-IP>|
range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|
sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-5000>) 
{(rule-description <LINE>)}

Parameters

permit <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|
any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-HOST-IP>|
<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence <1-5000>) 
{(rule-description <LINE>)}

<NETWORK-SERVICE-ALIAS-NAME>

Applies this permit rule to packets based on service protocols and ports specified in the network-service alias

  • <NETWORK-SERVICE-ALIAS-NAME> – Specify the network-service alias name (should be existing and configured).

A network-service alias defines service protocols and ports to match. When used with an ACL, the network-service alias defines the service-specific components of the ACL permit rule.

Note: For more information on configuring network-service alias, see alias.

<SOURCE-IP/MASK>

Specifies the source IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified network are permitted.

<NETWORK-GROUP-ALIAS-NAME>

Applies a network-group alias to identify the source IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, received from the addresses identified by the network-group alias are permitted.
  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

A network-group alias defines a single or a range of addresses of devices, hosts, and networks. When used with an ACL, the network-group alias defines the network-specific component of the ACL rule (permit/deny).

any

Specifies the source as any source IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from any source are permitted.

from-vlan <VLAN-ID>

Specifies a single VLAN or a range of VLANs as the match criteria. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified VLAN(s) are permitted.
  • <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).
Note: Use this option with WLANs and port ACLs.
host <SOURCE-HOST-IP> Identifies a specific host (as the source to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are permitted.
  • <SOURCE-HOST-IP> – Specify the source host‘s exact IP address in the A.B.C.D format.

<DEST-IP/MASK> Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified network are permitted.

any

Specifies the destination as any destination IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to any destination are permitted.
host <DEST-HOST-IP> Identifies a specific host (as the destination to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified host are permitted.
  • <DEST-HOST-IP> – Specify the destination host‘s exact IP address in the A.B.C.D format.
<NETWORK-GROUP-ALIAS-NAME> Applies a network-group alias to identify the destination IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, destined for the addresses identified by the network-group alias are permitted.
  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

log

Logs all permit events matching this entry. If a source and/or destination IP address is matched (i.e. if any specified type of packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.

mark [8021p <0-7>| dscp <0-63>]

Specifies packets to mark

  • 8021p <0-7> – Marks packets by modifying 802.1.p VLAN user priority

  • dscp <0-63> – Marks packets by modifying DSCP TOS bits in the header

rule-precedence <1-5000> rule-description <LINE>

The following keywords are recursive and common to all of the above parameters:

  • rule-precedence – Assigns a precedence for this permit rule

    • <1-5000> – Specify a value from 1 - 5000.

      Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
    • rule-description – Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

permit dns-name [contains|exact (mark)|suffix] <WORD> (log,rule-precedence <1-5000>) 
{(rule-description <LINE>)}
dns-name Applies this permit rule to packets based on dns-names specified in the network-service
contains Matches any hostname which has this DNS label. (for example, *.test.*)
exact Matches an exact hostname as specified in the network-service
syffix Matches any hostname as suffix (for example, *.test)
<WORD> Identifies a specific host (as the source to match) by its domain name. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are forwarded.
log Logs all permit events matching this dns entry. If a dns-name is matched an event is logged.
rule-precedence <1-5000> rule-description <LINE> The following keywords are recursive and common to all of the above parameters:
  • rule-precedence – Assigns a precedence for this permit rule

    • <1-5000> – Specify a value from 1 - 5000.

      Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
    • rule-description – Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

permit icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-NAME>|any|host <DEST-HOST-IP>] 
(<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}

icmp

Applies this permit rule to ICMP packets only

<SOURCE-IP/MASK>

Specifies the source IP address and mask (A.B.C.D/M) to match. ICMP packets received from the specified sources are permitted.

<NETWORK-GROUP-ALIAS-NAME>

Applies a network-group alias to identify the source IP addresses. ICMP packets received from the addresses identified by the network-group alias are permitted.
  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

any

Specifies the source as any IP address. ICMP packets received from any source are permitted.

from-vlan <VLAN-ID>

Specifies a single VLAN or a range of VLANs as the match criteria. ICMP packets received from the VLANs identified here are permitted.
  • <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).
Note: Use this option with WLANs and port ACLs.
host <SOURCE-HOST-IP> Identifies a specific host (as the source to match) by its IP address. ICMP packets received from the specified host are permitted.
  • <SOURCE-HOST-IP> – Specify the source host‘s exact IP address in the A.B.C.D format.

<DEST-IP/MASK>

Specifies the destination IP address and mask (A.B.C.D/M) to match. ICMP packets addressed to specified destinations are permitted.

<NETWORK-GROUP-ALIAS-NAME>

Applies a network-group alias to identify the destination IP addresses. ICMP packets destined for addresses identified by the network-group alias are permitted.

  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

any

Specifies the destination as any IP address. ICMP packets addressed to any destination are permitted.

host <DEST-HOST-IP>

Identifies a specific host (as the destination to match) by its IP address. ICMP packets addressed to the specified host are permitted.
  • <DEST-HOST-IP> – Specify the destination host‘s exact IP address in the A.B.C.D format.

<ICMP-TYPE>

Defines the ICMP packet type

For example, an ICMP type 0 indicates it is an ECHO REPLY, and type 8 indicates it is an ECHO.

<ICMP-CODE>

Defines the ICMP message type

For example, an ICMP code 3 indicates "Destination Unreachable", code 1 indicates "Host Unreachable", and code 3 indicates "Port Unreachable."

Note: After specifying the source and destination IP address(es), the ICMP message type, and the ICMP code, specify the action taken in case of a match.

log

Logs all permit events matching this entry. If a source and/or destination IP address is matched (i.e. a ICMP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.

rule-precedence <1-5000> rule-description <LINE>

The following keywords are recursive and common to all of the above parameters:

  • rule-precedence – Assigns a precedence for this permit rule

    • <1-5000> – Specify a value from 1 - 5000.

      Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
    • rule-description – Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

permit ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] 
(log,rule-precedence <1-5000>) {(rule-description <LINE>)}

ip

Applies this permit rule to IP packets only

<SOURCE-IP/MASK>

Specifies the source IP address and mask (A.B.C.D/M) to match. IP packets received from the specified networks are permitted.

<NETWORK-GROUP-ALIAS-NAME>

Applies a network-group alias to identify the source IP addresses. IP packets received from the addresses identified by the network-group alias are permitted.

  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

any

Specifies the source as any source IP address. IP packets received from any source are permitted.

from-vlan <VLAN-ID>

Specifies a single VLAN or a range of VLANs as the match criteria. IP packets received from the specified VLANs are permitted.

  • <VLAN-ID> – Specify the VLAN ID. To configure a range of VLAN IDs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

host <SOURCE-HOST-IP>

Identifies a specific host (as the source to match) by its IP address. IP packets received from the specified host are permitted.

  • <SOURCE-HOST-IP> – Specify the source host‘s exact IP address in the A.B.C.D format.

<DEST-IP/MASK>

Specifies the destination IP address and mask (A.B.C.D/M) to match. IP packets addressed to the specified networks are permitted.

any

Specifies the destination as any destination IP address. IP packets addressed to any destination are permitted.

host <DEST-HOST-IP>

Identifies a specific host (as the destination to match) by its IP address. IP packets addressed to the specified host are permitted.

  • <DEST-HOST-IP> – Specify the destination host‘s exact IP address in the A.B.C.D format.

<NETWORK-GROUP-ALIAS-NAME>

Applies a network-group alias to identify the source IP addresses. IP packets destined for addresses identified by the network-group alias are permitted.

  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

log

Logs all permit events matching this entry. If a source and/or destination IP address is matched (i.e. a IP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.

rule-precedence <1-5000> rule-description <LINE>

The following keywords are recursive and common to all of the above parameters:

  • rule-precedence – Assigns a precedence for this permit rule

    • <1-5000> – Specify a value from 1 - 5000.

      Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
    • rule-description – Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp] 
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] 
[<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) 
{(rule-description <LINE>)}

proto

Configures the ACL for additional protocols

Additional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter

<PROTOCOL-NUMBER>

Filters protocols using their IANA protocol number

  • <PROTOCOL-NUMBER> – Specify the protocol number.

<PROTOCOL-NAME>

Filters protocols using their IANA protocol name

  • <PROTOCOL-NAME> – Specify the protocol name.

eigrp

Identifies the EIGRP protocol (number 88)

EIGRP enables routers to maintain copies of neighbors‘ routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables.

gre

Identifies the GRE protocol (number 47)

GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination.

igmp

Identifies the IGMP protocol (number 2)

IGMP establishes and maintains multicast group memberships to interested members. Multicasting allows a networked computer to send content to multiple computers who have registered to receive the content. IGMP snooping is for listening to IGMP traffic between an IGMP host and routers in the network to maintain a map of the links that require multicast streams. Multicast traffic is filtered out for those links which do not require them.

igp

Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9)

IGP enables exchange of information between hosts and routers within a managed network. The most commonly used IGP protocols are: RIP and OSPF

ospf

Identifies the OSPF protocol (number 89)

OSPF is a link-state IGP. OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets.

vrrp

Identifies the VRRP protocol (number 112)

VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.

<SOURCE-IP/MASK>

Specifies the source IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified sources are permitted.

<NETWORK-GROUP-ALIAS-NAME>

Applies a network-group alias to identify the source IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the sources defined in the network-group alias are permitted.

  • <NETWORK-GROUP-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

any

Specifies the source as any IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are permitted.

from-vlan <VLAN-ID>

Specifies a single VLAN or a range of VLANs as the match criteria. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the VLANs identified here are permitted.

  • <VLAN-ID> – Specify the VLAN ID. A range of VLANs is represented by the start and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

host <SOURCE-HOST-IP>

Identifies a specific host (as the source to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are permitted.

  • <SOURCE-HOST-IP> – Specify the source host‘s exact IP address in the A.B.C.D format.

<DEST-IP/MASK>

Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified destinations are permitted.

any

Specifies the destination as any destination IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are permitted.

host <DEST-HOST-IP>

Identifies a specific host (as the destination to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addresses to the specified host are permitted.

  • <SOURCE-HOST-IP> – Specify the destination host‘s exact IP address in the A.B.C.D format.

<NETWORK-GROUP-ALIAS-NAME>

Applies a network-group alias to identify the destination IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the destinations identified in the network-group alias are permitted.

  • <NETWORK-ALIAS-NAME> – Specify the network-group alias name (should be existing and configured).

After specifying the source and destination IP address(es), specify the action taken in case of a match.

log

Logs all permit events matching this entry. If a source and/or destination IP address is matched (i.e. a packet (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) is received from a specified IP address and/or is destined for a specified IP address), an event is logged.

rule-precedence <1-5000> rule-description <LINE>

The following keywords are recursive and common to all of the above parameters:

  • rule-precedence – Assigns a precedence for this permit rule

    • <1-5000> – Specify a value from 1 - 5000.

      Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
    • rule-description – Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

permit [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq <SOURCE-PORT>|
host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|
ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> 
<END-PORT>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}

tcp

Applies this permit rule to TCP packets only

udp

Applies this permit rule to UDP packets only

<SOURCE-IP/MASK>

This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Specifies the source IP address and mask (A.B.C.D/M) to match. TCP/UDP packets received from the specified sources are permitted.

<NETWORK-GROUP-ALIAS-NAME>

This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Applies a network-group alias to identify the source IP addresses. TCP/UDP packets received from the VLANs identified here are permitted.

  • <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name (should be existing and configured).

After specifying the source and destination IP address(es), specify the action taken in case of a match.

any

This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Specifies the source as any source IP address. TCP/UDP packets received from any source are permitted.

from-vlan <VLAN-ID>

This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Specifies a single VLAN or a range of VLANs as the match criteria. TCP/UDP packets received from the VLANs identified here are permitted.

  • <VLAN-ID> – Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20).

Note: Use this option with WLANs and port ACLs.

host <SOURCE-HOST-IP>

Identifies a specific host (as the source to match) by its IP address. TCP/UDP packets received from the specified host are permitted.

  • <SOURCE-HOST-IP> – Specify the source host‘s exact IP address in the A.B.C.D format.

<DEST-IP/MASK>

This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Sets the destination IP address and mask (A.B.C.D/M) to match. TCP/UDP packets addressed to the specified destinations are permitted.

any

This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Specifies the destination as any destination IP address. TCP/UDP packets received from any destination are permitted.

eq <SOURCE-PORT>

Identifies a specific source port

  • <SOURCE-PORT> – Specify the exact source port.

host <DEST-HOST-IP>

Identifies a specific host (as the destination to match) by its IP address. TCP/UDP packets addressed to the specified host are permitted.

  • <DEST-HOST-IP> – Specify the destination host‘s exact IP address in the A.B.C.D format.

<NETWORK-GROUP-ALIAS-NAME>

This keyword is common to the ‘tcp‘ and ‘udp‘ parameters.

Applies a network-group alias to identify the destination IP addresses. TCP/UDP packets destined to the addresses identified in the network-group alias are permitted.

  • <NETWORK-ALIAS-GROUP-NAME> – Specify the network-group alias name (should be existing and configured).

eq [<1-65535>| <SERVICE-NAME>| |bgp|dns|ftp| ftp-data|gopher| https|ldap|nntp|ntp| pop3|sip|smtp| ssh|telnet| tftp|www]

Identifies a specific destination or protocol port to match

  • <1-65535> – The destination port is designated by its number

  • <SERVICE-NAME> – Specifies the service name

  • bgp – The designated BGP protocol port (179)

  • dns – The designated DNS protocol port (53)

  • ftp – The designated FTP protocol port (21)

  • ftp-data – The designated FTP data port (20)

  • gropher – The designated GROPHER protocol port (70)

  • https – The designated HTTPS protocol port (443)

  • ldap – The designated LDAP protocol port (389)

  • nntp – The designated NNTP protocol port (119)

  • ntp – The designated NTP protocol port (123)

  • pop3 – The designated POP3 protocol port (110)

  • sip – The designated SIP protocol port (5060)
  • smtp – The designated SMTP protocol port (25)

  • ssh – The designated SSH protocol port (22)

  • telnet – The designated Telnet protocol port (23)

  • tftp – The designated TFTP protocol port (69)

  • www – The designated www protocol port (80)

range <START-PORT> <END-PORT>

Specifies a range of destination ports

  • <START-PORT> – Specify the first port in the range.

  • <END-PORT> – Specify the last port in the range.

log

Logs all permit events matching this entry. If a source and/or destination IP address or port is matched (i.e. a TCP/UDP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged.

rule-precedence <1-5000> rule-description <LINE>

The following keywords are recursive and common to all of the above:

  • rule-precedence – Assigns a precedence for this permit rule

    • <1-5000> – Specify a value from 1 - 5000.

      Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10.
    • rule-description – Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

Usage Guidelines

Use this command to permit traffic between networks/hosts based on the protocol type selected in the access list. The following protocols are supported:

  • IP

  • ICMP

  • ICP

  • UDP

  • PROTO (any Internet protocol other than TCP, UDP, and ICMP)

The last ACE in the access list is an implicit deny statement.

Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. The packet is allowed or denied based on the ACL configuration.

  • Filtering on TCP or UDP allows you to specify port numbers as filtering criteria.

  • Select ICMP to allow/deny packets. Selecting ICMP filters ICMP packets based on ICMP type and code.

Note

Note

The log option is functional only for router ACL‘s. The log option displays an informational logging message about the packet matching the entry sent to the console.

Examples

nx9500-6C8809(config-ip-acl-test)#permit ip 172.16.10.0/24 any log rule-precedence 750
nx9500-6C8809(config-ip-acl-test)#permit tcp 172.16.10.0/24 any log rule-precedence 800
nx9500-6C8809(config-ip-acl-test)#show context
ip access-list test
 permit ip 172.16.10.0/24 any log rule-precedence 750
 permit tcp 172.16.10.0/24 any log rule-precedence 800
nx9500-6C8809(config-ip-acl-test)#

Related Commands

no (ipv4-acl)

Removes a specified IP permit access rule

alias

Creates and configures aliases (network, VLAN, service, etc.)