Inserts filtering rules in IP access lists (ACLs).
IP ACL config mode
The IPv4 Address and mask must be configured in dotted decimal notation.
Important
If you configure an IPv4 or IPv6 ACL rule to match a specific IP length and also configure an IPv4 or IPv6 ACL with an overlapping IP length range, then the rule with specific length will not work.IPvn rules configured with specified lengths that overlap IPvn length-range configurations fail silently.
Example 1. The IPv6 ACL rule in this example will not work because the rule with a specific length (bold font) overlaps the configured IP ACL range from 100 through 200. The rule with the overlapping specified length fails silently.
ip access-list v4acl seq 10 permit ip any 1.0.0.1 255.255.255.0 length 100 length-end 200 ipv6 access-list v6acl seq 10 permit ipv6 any bbbb::bbbb ffff::ffff length 150
Example 2. The IPv6 ACL rule (bold font) in this example will not work because the rule with a specific length overlaps the range from 100 through 200. The rule with the overlapping specified length fails silently.
ipv6 access-list v6acl seq 10 permit ipv6 any aaaa::aaaa ffff::ffff length 100 length-end 200 seq 20 permit ipv6 any bbbb::bbbb ffff::ffff length 150
Example 3. This IPv6 ACL rule example will not work because in this configuration, because the rule with a specific length (bold font) overlaps the range from 100 through 200. The rule with the overlapping specified length fails silently.
ipv6 access-list v6acl-1 seq 10 permit ipv6 any aaaa::aaaa ffff::ffff length 100 length-end 200 ipv6 access-list v6acl-2 seq 10 permit ipv6 any bbbb::bbbb ffff::ffff length 150
Message | Reason |
---|---|
Error: seqid 10 already exist ip1. | Sequence id is repeated within IP ACL named ip1. |
Error: source ip address must be in dotted-decimal format, each decimal number to be in range of 0-255. Example: 196.168.0.1 | Incorrect IPv4 address format for values src/dest address, src/dest mask values. |
% Value '0' not in range <1-65535>. | Example: Sequence-id range error. |
% Value 'ip' not in range <1-254> | Example: IP address outside valid range error. |
% Value '4294967296' not in range <1-4294967295>. | Example: Tunnel-id range error. |
% Value '65536' not in range <1-65535>. | Example: Source port range error. |
% Value '65536' not in range <1-65535>. | Example: Destination port range error. |
% Value '63' not in range <64-9000>. | Example: Packet length error. |
% Value '65' not in range <0-63>. | Example: DSCP range error. |
% Value '4096' not in range <0-4095>. | Example: VLAN range error. |
The following example configures seq 1 for IP access list P4.
device# configure terminal device(config)#ip access-list P4 device(config-ip-acl)# seq 1 permit udp 1.1.1.1 255.0.0.0 2.2.2.2 255.0.0.0 dontfragmentdevice(config-ip-acl)#
The following example deletes seq 1.
device(config-mac-acl)# no seq 1