IPv4 Access Control Lists (ACLs)
Configuring Extended ACLs
< ip | ip-protocol | ip-protocol-nbr >
Specifies the packet protocol type required for a match. An
extended ACL must include one of the following:
• ip — any IPv4 packet.
• ip-protocol — any one of the following IPv4 protocol names:
ip-in-ip ipv6-in-ip gre esp ah
ospf pim vrrp sctp tcp*
udp* icmp* igmp*
• ip-protocol-nbr — the protocol number of an IPv4 packet type,
such as “8” for Exterior Gateway Protocol or 121 for Simple
Message Protocol. (For a listing of IPv4 protocol numbers
and their corresponding protocol names, refer to the IANA
“Protocol Number Assignment Services” at www.iana.com.)
(Range: 0 - 255)
* For TCP, UDP, ICMP, and IGMP, additional criteria can be
specified, as described later in this section.
< any | host < SA > | SA/mask-length | SA < mask >>
In an extended ACL, this parameter defines the source address
(SA) that a packet must carry in order to have a match with
the ACE.
• any — Specifies all inbound IPv4 packets.
• host < SA > — Specifies only inbound IPv4 packets from a
single address. Use this option when you want to match only
the IPv4 packets from a single source address.
• SA/mask-length or SA < mask > — Specifies packets received
from an SA, where the SA is either a subnet or a group of
IPv4 addresses. The mask can be in either dotted-decimal
format or CIDR format with the number of significant bits.
Refer to “Using CIDR Notation To Enter the IPv4 ACL Mask”
on page 9-43.
9-68
