User Manual
UMN:CLI
V8102
245
7.18.6.2
Filters Using Extended IP ACLs
To create an extended named ACL to filter traffic based on specific protocols, use the fol-
lowing command.
Command
Mode
Description
ip access-list extended
{<100-199> | <2000-
2699> |
WORD
}
Global
Creates an extended ACL entry.
100-199: extended access list number
2000-2699: extended access list num-
ber (expanded range)
WORD: access-list name
no ip access-list extended
{<100-199> | <2000-2699> |
WORD
}
Deletes the configured extended ACL
entry.
After creating an extended IP address-based ACL entry, the prompt changes from
SWITCH(config)# to SWITCH(config-ext-nacl])#.
To configure an extended ACL entry, use the following command.
Command
Mode
Description
[<1-2147483647>] {
deny
|
permit
}
{<0-255> |
ahp
|
eigrp
|
esp
|
gre
|
ip
|
ipinip
|
nos
|
ospf
|
pcp
|
pim
} {
any
|
host A.B.C.D
|
A.B.C.D
WILD-
CARD-BITS
} {
any
|
host A.B.C.D
|
A.B.C.D
WILDCARD-BITS
} [{
precedence
<0-7> |
tos
<0-
255> |
dscp
<0-63>}] [{
log
|
log-input
}
tag
WORD
]
Extended
ACL
Mode
Specifies a deny or permit statement of
the extended ACL with each protocol.
1-2147483647: sequence number
any: any source/destination IP address
host: A single source/destination IP ad-
dress
A.B.C.D: source/destination IP address to
match
WILDCARD-BITS: Bits for use of wildcard
masking
[<1-2147483647>] {
deny
|
permit
}
icmp
{
any
|
host A.B.C.D
|
A.B.C.D
WILDCARD-BITS
} {
any
|
host A.B.C.D
|
A.B.C.D
WILDCARD-BITS
}
[{
TYPE
CODE
|
administratively-prohibited
|
alternate-address
|
conversion-error
|
dod-
host-prohibited
|
dod-net-prohibited
|
echo
|
echo-reply
|
general-parameter-problem
|
host-
isolated | host-precedence-unreachable | host-
redirect
|
host-tos-redirect
|
host-tos-
unreachable
|
host-unknown
|
host-
unreachable | information-reply | information-
request | mask-reply | mask-request | mobile-
redirect | net-redirect | net-tos-redirect | net-
tos-unreachable | net-unreachable | network-
unknown
| no-room-for-option
|
option-
missing | packet-too-big | parameter-problem |
port-unreachable | precedence-unreachable |
protocol-unreachable | reassembly-timeout |
redirect
|
router-advertisement
|
router-
Specifies a deny or permit statement of
the extended ACL based on ICMP.