Cisco Cisco ASR 5700
ACL Configuration Mode Commands
▀ deny/permit (by TCP/UDP packets)
▄ Command Line Interface Reference, StarOS Release 17
268
One-bits in this parameter mean that the corresponding bits configured for the
dest_address
parameter must be ignored.
Important:
The mask must contain a contiguous set of one-bits from the least significant bit (LSB). Therefore,
allowed masks are 0, 1, 3, 7, 15, 31, 63, 127, and 255. For example, acceptable wildcards are 0.0.0.3, 0.0.0.255, and
0.0.15.255. A wildcard of 0.0.7.15 is not acceptable since the one-bits are not contiguous.
0.0.15.255. A wildcard of 0.0.7.15 is not acceptable since the one-bits are not contiguous.
eq dest_port
Specifies a single, specific destination TCP port number to be filtered.
dest_port
must be an integer from 0 through 65535.
gt dest_port
Specifies that all destination TCP port numbers greater than the one specified are to be filtered.
dest_port
must be an integer from 0 through 65535.
lt dest_port
Specifies that all destination TCP port numbers less than the one specified are to be filtered.
dest_port
must be an integer from 0 through 65535.
neq dest_port
Specifies that all destination TCP port numbers not equal to the one specified are to be filtered.
dest_port
must be an integer from 0 through 65535.
range start_port end_port
Specifies a range of ports to be matched.
start_port
must be an integer from 0 through 65535, and must be less than the
end_port
value.
end_port
must be an integer from 0 through 65535, and must be greater than the
start_port
value.
Important:
This option is supported in PDIF Release 8.3.
Usage
Block IP packets when the source and destination are of interest but for only a limited set of ports.
Important:
The maximum number of rules that can be configured per ACL varies depending on how the ACL is
to be used. For more information, refer to the Engineering Rules appendix in the System Administration Guide.
Example
The following commands define four rules with the second and fourth rules logging filtered packets:
permit tcp host 10.2.3.4 any
deny log udp 10.2.3.0 0.0.0.31 host 10.2.4.16
permit tcp host 10.2.3.64 gt 1023 any
deny log udp 10.2.3.0 0.0.0.31 10.2.4.127 0.0.0.127