IPv4 Access Control Lists (ACLs)

Configuring and Assigning an IPv4 ACL

ip access-list extended < identifier > [ [ seq-#] remark < remark-str>]

<permit deny > < ipv4-protocol-type > < SA > < src-acl-mask > < DA > <dest-acl-mask > [log]

< permit deny > tcp

 

< SA > < src-acl-mask > [< operator > < port-id >]

 

< DA > < desti-acl-mask > [< operator > < port-id >]

[log]

[ established ]

 

< permit deny > udp

 

< SA > < src-acl-mask > [< operator > < port-id >]

 

< DA > < dest-acl-mask > [< operator > < port-id >]

[log]

< permit deny > icmp < SA > < src-acl-mask> < DA > < dest-acl-mask> [ icmp-type] [log]

< permit deny > igmp

< SA > < SA-mask > < DA > < dest-acl-mask > [ igmp-type ] [log]

Note: The optional log function is available

only for “deny” ACEs.

[ precedence < priority >] [ tos < tos-setting>]

. . .

<Implicit Deny > exit

Figure 9-8. Example of General Structure Options for an Extended ACL

9-38