NOTE: Also refer to the Commands Common to all ACL Types and Common IP ACL Commands
sections.
deny
Configure a filter that drops IP packets meeting the filter criteria.
Syntax deny {ip | ip-protocol-number} {source mask | any | host ip-
address} {destination mask | any | host ip-address} [count
[byte] | log] [dscp value] [order] [monitor] [fragments]
To remove this filter, you have two choices:
• Use the no seq sequence-number command if you know the filter’s
sequence number.
• Use the no deny {ip | ip-protocol-number} {source mask | any |
host ip-address} {destination mask | any | host ip-address}
command.
Parameters ip Enter the keyword ip to configure a generic IP access list.
The keyword ip specifies that the access list denies all IP
protocols.
ip-protocol-
number
Enter a number from 0 to 255 to deny based on the protocol
identified in the IP protocol header.
source Enter the IP address of the network or host from which the
packets were sent.
mask Enter a network mask in /prefix format (/x) or A.B.C.D. The
mask, when specified in A.B.C.D format, may be either
contiguous or noncontiguous.
any Enter the keyword any to specify that all routes are subject
to the filter.
host ip-address Enter the keyword host then the IP address to specify a host
IP address.
destination Enter the IP address of the network or host to which the
packets are sent.
count (OPTIONAL) Enter the keyword count to count packets that
the filter processes.
byte (OPTIONAL) Enter the keyword byte to count bytes that the
filter processes.
log (OPTIONAL, E-Series only) Enter the keyword log to enter
ACL matches in the log.
dscp (OPTIONAL) Enter the keyword dcsp to match to the IP
DCSCP values.
order (OPTIONAL) Enter the keyword order to specify the QoS
priority for the ACL entry. The range is from 0 to 254 (where
0 is the highest priority and 254 is the lowest; lower-order
198 Access Control Lists (ACL)