Configuring extended ACLs

ip access–list extended <name-str>

Places the CLI in the "Named ACL" (nacl) context specified by the <name-str> alphanumeric identifier. This enables entry of individual ACEs in the specified ACL. If the ACL does not already exist, this command creates it.

<name-str>

Specifies an alphanumeric identifier for the ACL. Consists of an alphanumeric string of up to 64 case-sensitive characters. Including spaces in the string requires that you enclose the string in single or double quotes. For example: accounting ACL. You can also use this command to access an existing, numbered ACL. See Using the CLI to edit ACLs.

<deny|permit> <ip|ip-protocol|ip-protocol-nbr>

<any|host> <SA>|SA|mask-length|SA <mask>>

<any|host> <DA>|DA|mask-length|DA <mask>>

[precedence] [tos] [log]

Appends an ACE to the end of the list of ACEs in the current ACL. In the default configuration, ACEs are automatically assigned consecutive sequence numbers in increments of 10 and can be renumbered using resequence, see Resequencing the ACEs in an ACL).

	NOTE: To insert a new ACE between two existing ACEs in an extended, named ACL, precede deny or permit with an appropriate sequence number along with the ACE keywords and variables you want. See Inserting an ACE in an existing ACL. For a match to occur, a packet must have the source and destination addressing criteria specified in the ACE, as well as: the protocol-specific criteria configured in the ACE, including any included, optional elements (described later in this section) any (optional) precedence and/or ToS settings configured in the ACE

<deny|permit>

For named ACLs, these keywords are used in the "Named ACL" (nacl) context to specify whether the ACE denies or permits a packet matching the criteria in the ACE, as described below.

<ip|ip-protocol|ip-protocol-nbr>

Used after deny or permit to specify the packet protocol type required for a match. An extended ACL must include one of the following:

• ip – any IPv4 packet.

• ip-protocol – any one of the following IPv4 protocol names:

  ip-in-ip	ospf	udp*
  ipv6-in-ip	pim	icmp*
  gre	vrrp	igmp*
  esp	sctp
  ah	tcp*

• ip-protocol-nbr – the protocol number of an IPv4 packet type, such as "8" for Exterior Gateway Protocol or 121 for Simple Message Protocol. (For a listing of IPv4 protocol numbers and their corresponding protocol names, see theIANA "Protocol Number Assignment Services" at www.iana.com. (Range: 0–255)

*For TCP, UDP, ICMP, and IGMP, additional criteria can be specified, as described on Including options for TCP and UDP traffic in extended ACLs.

<any|host <SA>|SA <mask>|SA/mask-length

This is the first instance of IPv4 addressing in an extended ACE. It follows the protocol specifier and defines the source address (SA) a packet must carry for a match with the ACE.

• any

  Allows IPv4 packets from any SA.

• host <SA>

  Specifies only packets having a single address as the SA. Use this criterion when you want to match only the IPv4 packets from a single SA.

• SA <mask> or SA/mask-length

  Specifies packets received from an SA, where the SA is either a subnet or a group of addresses. The mask can be in either dotted-decimal format or CIDR format (number of significant bits).

  SA Mask application

  The mask is applied to the SA in the ACL to define which bits in a packet's SA must exactly match the SA configured in the ACL and which bits need not match.

  Example:

  10.10.10.1/24 and 10.10.10.1 0.0.0.255 both define any address in the range of 10.10.10.(1 - 255).

  Note: Specifying a group of contiguous addresses may require more than one ACE.

<any|host <DA>|DA/mask-length|DA/<mask>>

This is the second instance of IPv4 addressing in an extended ACE. It follows the first (SA) instance, described earlier, and defines the destination address (DA) that a packet must carry in order to have a match with the ACE.

• any

  Allows routed IPv4 packets to any DA.

• host <DA>

  Specifies only packets having DAas the destination address. Use this criterion when you want to match only the IPv4 packets for a single DA.

• DA/mask-length or DA <mask>

  Specifies packets intended for a destination address, where the address is either a subnet or a group of addresses. The mask format can be in either dotted-decimal format or CIDR format (number of significant bits).

  DA Mask application

  The mask is applied to the DA in the ACL to define which bits in a packet's DA must exactly match the DA configured in the ACL and which bits need not match.

[precedence <0-7|precedence-name>]

This option can be used after the DA to cause the ACE to match packets with the specified IP precedence value. Values can be entered as the following IP precedence numbers or alphanumeric names:

0 or routine

1 “ priority

2 “ immediate

3 “ flash

4 “ flash-override

5 “ critical

6 “ internet (for internetwork control)

7 “ network (for network control)

	NOTE: The precedence criteria described in this section are applied in addition to any other selection criteria configured in the same ACE.

[tos <tos-setting>]

This option can be used after the DA to cause the ACE to match packets with the specified Type-of-Service (ToS) setting. ToS values can be entered as the following numeric settings or, in the case of 0, 2, 4, and 8, as alphanumeric names:

0 or normal

2 “ max-reliability

4 “ max-throughput

6

8 “ minimize-delay

10

12

14

	NOTE: The ToS criteria in this section are applied in addition to any other criteria configured in the same ACE.

[log]

This option can be used after the DA to generate an Event Log message if:

• The action is deny. Not applicable to permit.

• There is a match.

• ACL logging is enabled.

<deny|permit> <tcp|udp>

<SA> [comparison-operator <tcp/udp-src-port>]

<DA> [comparison-operator <tcp-dest-port>][established]

[comparison-operator <udp-dest-port>]

In an extended ACL using either tcp or udp as the packet protocol type, you can optionally use TCP or UDP source and/or destination port numbers or ranges of numbers to further define the criteria for a match. For example:

#deny tcp host 10.20.10.17 eq 23 host 10.20.10.155 established

#permit tcp host 10.10.10.100 host 10.20.10.17 eq telnet

#deny udp 10.30.10.1/24 host 10.20.10.17 range 161 162

[comparison-operator <tcp/udp-src-port>]

To specify a TCP or UDP source port number in an ACE:

(1) Select a comparison operator from the following list

and

(2) Enter the port number or a well-known port name.

Comparison operators

• eq <tcp/udp-port-nbr>

  "Equal To"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be equal to <tcp/udp-port-nbr>.

• gt <tcp/udp-port-nbr>

  "Greater Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be greater than <tcp/udp-port-nbr>.

• lt <tcp/udp-port-nbr>

  "Less Than"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must be less than <tcp/udp-port-nbr>.

• neq <tcp/udp-port-nbr>

  "Not Equal"; to have a match with the ACE entry, the TCP or UDP source port number in a packet must not be equal to <tcp/udp-port-nbr>.

• range <start-port-nbr> <end-port-nbr>

  For a match with the ACE entry, the TCP or UDP source-port number in a packet must be in the range <start-port-nbr> <end-port-nbr>.

Port number or well-known port name:

Use the TCP or UDP port number required by your application.

The switch also accepts these well-known TCP or UDP port names as an alternative to their port numbers:

• TCP – bgp, dns, ftp, http, imap4, ldap, nntp, pop2, pop3, smtp, ssl, telnet

• UDP – bootpc, bootps, dns, ntp, radius, radius-old, rip, snmp, snmp-trap, tftp

To list the above names, press the [Shift] [?] key combination after entering an operator. For a comprehensive listing of port numbers, visit www.iana.org/assignments/port-numbers.

[comparison-operator <tcp-dest-port>][established]

[comparison-operator <udp-dest-port>]

This option, if used, is entered immediately after the <DA> entry.

To specify a TCP or UDP port number;

1. select a comparison operator

2. enter the port number or a well-known port name

Comparison operators and well-known port names:

These are the same as are used with the TCP/UDP source-port options, and are listed earlier in this command description.

[established]

This option applies only where TCP is the configured protocol type. It blocks the synchronizing packet associated with establishing a TCP connection in one direction on a VLAN while allowing all other IPv4 traffic for the same type of connection in the opposite direction. For example, a Telnet connect requires TCP traffic to move both ways between a host and the target device. Simply applying a denyto inbound Telnet traffic on a VLAN would prevent Telnet sessions in either direction because responses to outbound requests would be blocked. However, by using the established option, inbound Telnet traffic arriving in response to outbound Telnet requests would be permitted, but inbound Telnet traffic trying to establish a connection would be denied.

<deny|permit> icmp <SA> <DA> [icmp-type [icmp-code]

<deny|permit> icmp <SA> <DA> [icmp-type-name][]|]

In an extended ACL using icmp as the packet protocol type (see above), you can optionally specify an individual ICMP packet type or packet type/code pair to further define the criteria for a match. This option, if used, is entered immediately after the destination address (DA) entry. The following example shows two ACEs entered in a Named ACL context:

#permit icmp any any host-unknown

#permit icmp any any 3 7

[icmp-type [icmp-code]

This option identifies an individual ICMP packet type as criteria for permitting or denying that type of ICMP traffic in an ACE.

• icmp-type — This value is in the range of 0 - 255 and corresponds to an ICMP packet type.

• icmp-code — This value is in the range of 0 - 255 and corresponds to an ICMP code for an ICMP packet type.

  For more information on ICMP type names, visit the Internet Assigned Numbers Authority (IANA) website at www.iana.com, click on “Protocol Number Assignment Services”, and then go to the selections under “Internet Control Message Protocol (ICMP) Parameters”.

[icmp-type-name]

These name options are an alternative to the [icmp-type [icmp-code]] methodology described above. For more information, visit the IANA website cited above.

administratively-prohibited	net-tos-unreachable
alternate-address	net-unreachable
conversion-error	network-unknown
dod-host-prohibited	no-room-for-option
dod-net-prohibited	option-missing
echo	packet-too-big
echo-reply	parameter-problem
general-parameter-problem	port-unreachable
host-isolated	precedence-unreachable
host-precedence-unreachable	protocol-unreachable
host-redirect	reassembly-timeout
host-tos-redirect	redirect
host-tos-unreachable	router-advertisement
host-unknown	router-solicitation
host-unreachable	source-quench
information-reply	source-route-failed
information-request	time-exceeded
mask-reply	timestamp-reply
mask-request	timestamp-request
mobile-redirect	traceroute
net-redirect	ttl-exceeded
net-tos-redirect	unreachable

<permit|deny> igmp <SA> <DA> [icmp-type

In an extended ACL using igmp as the packet protocol type, you can optionally specify an individual IGMP packet type to further define the criteria for a match. This option, if used, is entered immediately after the destination addressing entry. The following example shows an IGMP ACE entered in the Named ACL context:

HP Switch(config-ext-nacl)# permit igmp any
any host-query

[igmp-type]

The complete list of IGMP packet-type options includes:

dvmrp	trace	mtrace-request
host-query	v2-host-report	v3-host-report
host-report	v2-host-leave
pim	mtrace-reply

For more information on IGMP packet types, visit the Internet Assigned Numbers Authority (IANA) website at www.iana.com, click on “Protocol Number Assignment Services”, and then go to the selections under “Internet Group Management Protocol (IGMP) Type Numbers”.