Cisco Cisco ASR 5000
ACL Configuration Mode Commands
deny/permit (by source IP address masking) ▀
Command Line Interface Reference, StarOS Release 18 ▄
255
deny
: Indicates the rule, when matched, drops the corresponding packets.
permit
: Indicates the rule, when matched, allows the corresponding packets.
log
Default: packets are not logged.
Indicates all packets which match the filter are to be logged.
Indicates all packets which match the filter are to be logged.
Important:
The logging option is not supported for ACLs applied on SPIO or local contexts.
source_address
The IP address(es) from which the packet originated. IP addresses must be entered in IPv4 dotted-decimal
format.
This option is used to filter all packets from a specific IP address or a group of IP addresses.
When specifying a group of addresses, the initial address is configured using this option. The range can then
be configured using the
format.
This option is used to filter all packets from a specific IP address or a group of IP addresses.
When specifying a group of addresses, the initial address is configured using this option. The range can then
be configured using the
source_wildcard
parameter.
source_wildcard
This option is used in conjunction with the
source_address
option to specify a group of addresses for
which packets are to be filtered.
The mask must be entered as a complement:
The mask must be entered as a complement:
Zero-bits in this parameter mean that the corresponding bits configured for the
source_address
parameter must be identical.
One-bits in this parameter mean that the corresponding bits configured for the
source_address
parameter must be ignored.
Important:
The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore,
allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and
0.0.15.255. A wildcard of 0.0.7.15 is not acceptable since the one-bits are not contiguous.
0.0.15.255. A wildcard of 0.0.7.15 is not acceptable since the one-bits are not contiguous.
Usage
Define a rule when any packet from the IP addresses which fall into the group of addresses matching the IP
address masking. This allows the reduction of filtering rules as it does not require a rule for each source and
destination pair.
address masking. This allows the reduction of filtering rules as it does not require a rule for each source and
destination pair.
Important:
The maximum number of rules that can be configured per ACL varies depending on how the ACL is
to be used. For more information, refer to the Engineering Rules appendix in the System Administration Guide.
Example
The following command defines two rules with the second logging filtered packets:
permit 1.2.3.0 0.0.0.31
deny log 1.2.4.0 0.0.0.15
The following sets the insertion point before the first rule defined above: