AMX NXA-ENET24 - page 231

CLI (Command Line Interface)

211

NXA-ENET24 - Software Management Guide

IP ACL Commands (Cont.)

Command Function

permit, deny

(Standard ACL)

This command adds a rule to a

Standard IP ACL. The rule sets a

filter condition for packets

emanating from the specified

source.

Use the no form to remove a rule.

Syntax:

[no] {permit | deny} {any | source bitmask | host source}

• any – Any source IP address.

• source – Source IP address.

• bitmask – Decimal number representing the address bits to match.

• host – Keyword followed by a specific IP address.

Default Setting: None

Command Mode: Standard ACL

Command Usage: New rules are appended to the end of the list.

Address bitmasks are similar to a subnet mask, containing four integers

from 0 to 255, each separated by a period. The binary mask uses 1 bits to

indicate “match” and 0 bits to indicate “ignore.” The bitmask is bitwise

ANDed with the specified source IP address, and then compared with the

address for each IP packet entering the port(s) to which this ACL has been

assigned.

Example: This example configures one permit rule for the specific address

10.1.1.21 and another rule for the address range 168.92.16.x –

168.92.31.x using a bitmask:

Console(config-std-acl)#permit host 10.1.1.21

Console(config-std-acl)#permit 168.92.16.0 255.255.240.0

Console(config-std-acl)#

permit, deny

(Extended ACL)

This command adds a rule to an

Extended IP ACL. The rule sets a

filter condition for packets with

specific source or destination IP

addresses, protocol types, source

or destination protocol ports, or

TCP control codes.

Use the no form to remove a rule.

Syntax:

[no] {permit | deny} [protocol-number | udp]

{any | source address-bitmask | host source}

{any | destination address-bitmask | host destination}

[precedence precedence] [tos tos] [dscp dscp]

[source-port sport [end]] [destination-port dport [end]]

[no] {permit | deny} tcp

{any | source address-bitmask | host source}

{any | destination address-bitmask | host destination}

[precedence precedence] [tos tos] [dscp dscp]

[source-port sport [end]] [destination-port dport [end]]

[control-flag control-flags flag-bitmask]

• protocol-number – A specific protocol number. (Range: 0-255)

• source – Source IP address.

• destination – Destination IP address.

• address-bitmask – Decimal number representing the address bits to

match.

• host – Keyword followed by a specific IP address.

• precedence – IP precedence level. (Range: 0-7)

• tos – Type of Service level. (Range: 0-15)

• dscp – DSCP priority level. (Range: 0-63)

• sport – Protocol (TCP, UDP or other protocol types) source port number.

(Range: 0-65535)

• dport – Protocol ((TCP, UDP or other protocol types)) destination port

number. (Range: 0-65535)

• end – Upper bound of the protocol port range. (Range: 0-65535)

• control-flags – Decimal number (representing a bit string) that specifies

flag bits in byte 14 of the TCP header. (Range: 0-63)

• flag-bitmask – Decimal number representing the code bits to match.

(Range: 0-63)

Default Setting: None

Command Mode: Extended ACL