282 Configuring Switch Information
Configuring IP Based ACLs with CLI Commands
The following table summarizes the equivalent CLI commands for configuring IP Based ACLs.Table 7-5. IP Based ACL CLI Commands
CLI Command Description
ip access-list access-list-name
no ip access-list access-list-name
To define an IPv4 access list and to
place the device in IPv4 access list
configuration mode, use the ipv4
access-list command in global
configuration mode. To remove the
access list, use the no form of this
command.
permit {any| protocol} {any|{source source-wildcard}}
{any|{destination destination-wildcard}} [dscp number | ip-precedence
number] [fragments]
permit-icmp {any|{source source-wildcard}} {any|{destination
destination-wildcard}} {any|icmp-type} {any|icmp-code} [dscp number |
ip-precedence number]
permit-igmp {any|{source source-wildcard}} {any|{destination
destination-wildcard}} {any|igmp-type} [dscp number | ip-precedence
number]
permit-tcp {any|{ source source-wildcard}} {any|source-port} {any|{
destination destination-wildcard}} {any|destination-port} [dscp number |
ip-precedence number] [flags list-of-flags]
permit-udp {any|{ source source-wildcard}} {any| source-port}
{any|{destination destination-wildcard}} {any|destination-port} [dscp
number | ip-precedence number]
To set conditions to allow a packet to
pass a named IP access list, use the
permit command in access list
configuration mode.
deny [disable-port] {any| protocol} {any|{source source-wildcard}}
{any|{destination destination-wildcard}} [dscp number | ip-precedence
number] [fragments]
deny-icmp [disable-port] {any|{source source-wildcard}}
{any|{destination destination-wildcard}} {any|icmp-type} {any|icmp-
code} [dscp number | ip-precedence number]
deny-igmp [disable-port] {any|{source source-wildcard}}
{any|{destination destination-wildcard}} {any|igmp-type} [dscp number
| ip-precedence number]
deny-tcp [disable-port] {any|{ source source-wildcard}} {any|source-
port} {any|{ destination destination-wildcard}} {any|destination-port}
[dscp number | ip-precedence number] [flags list-of-flags]
deny-udp [disable-port] {any|{ source source-wildcard}} {any| source-
port} {any|{destination destination-wildcard}} {any|destination-port}
[dscp number | ip-precedence number]
To set conditions to allow a packet to
pass a named IP access list, use the
deny command in access list
configuration mode.