44 CHAPTER 3: ACL COMMANDS
alternate-host-address, echo-request, router-advertisement,
router-solicitation, time-exceeded, parameter-problem,
timestamp, timestamp-reply, information-request,
information-reply, address-mask-request, address-mask-reply,
traceroute, datagram-conversion-error, mobile-host-redirect,
ipv6-where-are-you, ipv6-i-am-here,
mobile-registration-request, mobile-registration-reply,
domain-name-request, domain-name-reply, skip and photuris.
(Range: 0-255)
■icmp-code — Specifies an ICMP message code for filtering ICMP
packets. ICMP packets that are filtered by ICMP message type can also
be filtered by the ICMP message code. (Range: 0-255)
■igmp-type — IGMP packets can be filtered by IGMP message type.
Enter a number or one of the following values: dvmrp, host-query,
host-report, pim or trace. (Range: 0-255)
■destination-port — Specifies the UDP/TCP destination port. (Range:
0-65535)
■source-port — Specifies the UDP/TCP source port. (Range: 0-65535)
■list-of-flags — Specifies a list of TCP flags that can be triggered. If a
flag is set, it is prefixed by “+”. If a flag is not set, it is prefixed by “-”.
The possible values are: +urg, +ack, +psh, +rst, +syn, +fin, -urg,
-ack, -psh, -rst, -syn and -fin. The flags are concatenated into one
string. For example: +fin-ack.
Default Configuration
No IPv4 ACL is defined.
Command Mode
IP-Access List Configuration mode
User Guidelines
Use the ip access-list Global Configuration mode command to enable
the IP-Access List Configuration mode.
Before an Access Control Element (ACE) is added to an ACL, all packets
are permitted. After an ACE is added, an implied deny-any-any
condition exists at the end of the list and those packets that do not match
the conditions defined in the permit statement are denied.