Creating or adding to an extended, numbered ACL

This command is an alternative to using ip access-list extended name-str and does not use the nacl context.

Syntax 


access-list<100-199> {<deny | permit>} {<ip | ip-protocol | ip-protocol-nbr>}


{<any | host <SA> | SA/mask-length | SA <mask>>}
NOTE:

If the ACL does not already exist, this command creates the specified ACL and its first ACE. If the ACL already exists, the new ACE is appended to the end of the configured list of explicit ACEs. In the default configuration, the ACEs in an ACL will automatically be assigned consecutive sequence numbers in increments of 10 and can be renumbered with resequence see Resequencing the ACEs in an ACL.

To insert a new ACE between two existing ACEs in an extended, numbered ACL:See: steps

For a match to occur, a packet must have the source and destination addressing criteria specified in the ACE, as well as:

  • The protocol-specific criteria configured in the ACE, including any included, optional elements (described later in this section.)

  • Any (optional) precedence and ToS settings configured in the ACE. 


<100-199>

Specifies the ACL ID number. The switch interprets a numeric ACL with a value in this range as an extended ACL. 


{<deny | permit>}
Specifies whether to deny ( drop) or permit (forward) a packet that matches the criteria specified in the ACE, as described below. 

{<ip | ip-protocol | ip-protocol-nbr>}
Specifies the packet protocol type required for a match. An extended ACL must include one of the following:
  • ip

    — any IPv4 packet.

  • ip-protocol
    — any one of the following IPv4 protocol names:
    • ospfpim vrrp sctp tcp*
    • ip-in-ip ipv6-in-ipgre esp ah
    • udp*icmp* igmp*
    * For TCP, UDP, ICMP, and IGMP, additional criteria can be specified, as described later in this section.
  • ip-protocol-nbr

    — the protocol number of an IPv4 packet type, such as "8" for Exterior Gateway Protocol or 121 for Simple Message Protocol. (For a listing of IPv4 protocol numbers and their corresponding protocol names, see the IANA "Protocol Number Assignment Services" at www.iana.com.) (Range: 0 - 255) 


{<any | host <SA> | SA/mask-length | SA <mask>>}
In an extended ACL, this parameter defines the source address (SA) that a packet must carry in order to have a match with the ACE.
  • any

    Specifies all inbound IPv4 packets.

  • host <SA>

    Specifies only inbound IPv4 packets from a single address. Use this option when you want to match only the IPv4 packets from a single source address.

  • SA/mask-length
    or SA <mask>Specifies packets received from an SA, where the SA is either a subnet or a group of IPv4 addresses. The mask can be in either dotted-decimal format or CIDR format with the number of significant bits. See How an ACE uses a mask to screen packets for matches. 
    
SA mask application
    The mask is applied to the SA in the ACL to define which bits in a packet's source SA must exactly match the address configured in the ACL and which bits need not match. For example, 10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define any IPv4 address in the range of 10.10.10.(1-255).
    NOTE:

    Specifying a group of contiguous IPv4 addresses may require more than one ACE. For more on how masks operate in ACLs, see How an ACE uses a mask to screen packets for matches.

Syntax 

{<any | host <SA> | SA/mask-length | SA <mask>>}
This is the second instance of addressing in an extended ACE. It follows the first (SA) instance, described earlier, and defines the destination address (DA) that a packet must carry in order to have a match with the ACE. The options are the same as shown for <SA>.
  • any

    Allows routed IPv4 packets to any DA.

  • host <DA>

    Specifies only the packets having DAas the destination address. Use this criterion when you want to match only the IPv4 packets for a single DA.

  • DA/mask-length
    or DA <mask>Specifies packets intended for a destination address, where the address is either a subnet or a group of IPv4 addresses. The mask format can be in either dotted-decimal format or CIDR format (number of significant bits). See How an ACE uses a mask to screen packets for matches. 
    
DA Mask application
    The mask is applied to the DA in the ACL to define which bits in a packet's DA must exactly match the DA configured in the ACL and which bits need not match. See also the above example and note.
Syntax 

[precedence <0 - 7 | precedence-name>]
This option causes the ACE to match packets with the specified IP precedence value. Values can be entered as the following IP precedence numbers or alphanumeric names:
  • 0 or routine
  • 1 " priority
  • 2 " immediate
  • 3 " flash
  • 4 "flash-override
  • 5 " critical
  • 6 " internet (for internetwork control)
  • 7 " network (for network control)
NOTE:

the precedence criteria described in this section are applied in addition to any other selection criteria configured in the same ACE. 


[ tos ]
This option can be used after the DA to cause the ACE to match packets with the specified Type-of-Service (ToS) setting. ToS values can be entered as the following numeric settings or, in the case of 0, 2, 4, and 8, as alphanumeric names:
  • 0 or normal
  • 2 " max-reliability
  • 4 " max-throughput
  • 6
  • 8 " minimize-delay
NOTE:

The ToS criteria in this section are applied in addition to any other criteria configured in the same ACE. 


[log]
Optional; generates an Event Log message if:

  • The action is deny. This option is not configurable for Permit.

  • There is a match.

  • ACL logging is enabled on the switch. See Enabling ACL logging on the switch for details.

Procedure
  1. Use ip access list extended <100 - 199> to open the ACL as a named ACL.
  2. Enter the desired sequence number along with the ACE statement you want.