access-list extended¶

rules¶

Specification	Value
Type	list
Block object keys

acl-log

Description Log matches against this entry

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

any-code

Description Any ICMP code

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: any-code, icmp-code, and special-code are mutually exclusive

any-type

Description Any ICMP type

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: any-type, icmp-type, and special-type are mutually exclusive

dscp

Description DSCP

Type: number

Range: 1-63

dst-any

Description Any destination host

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: dst-any,dst-host, dst-subnet, and dst-object-group are mutually exclusive

dst-eq

Description Match only packets on a given destination port (port number)

Type: number

Range: 1-65535

Mutual Exclusion: dst-eq,dst-gt, dst-lt, and dst-range are mutually exclusive

dst-gt

Description Match only packets with a greater port number

Type: number

Range: 1-65534

Mutual Exclusion: dst-gt,dst-eq, dst-lt, and dst-range are mutually exclusive

dst-host

Description A single destination host (Host address)

Type: string

Format: ipv4-address

Mutual Exclusion: dst-host,dst-any, dst-subnet, and dst-object-group are mutually exclusive

dst-lt

Description Match only packets with a lesser port number

Type: number

Range: 2-65535

Mutual Exclusion: dst-lt,dst-eq, dst-gt, and dst-range are mutually exclusive

dst-mask

Description Destination Mask 0=apply 255=ignore

Type: string

Format: ipv4-rev-netmask

dst-object-group

Description Destination network object group name

Type: string

Maximum Length: 63 characters

Maximum Length: 1 characters

Mutual Exclusion: dst-object-group,dst-any, dst-host, and dst-subnet are mutually exclusive

dst-port-end

Description Edning Destination Port Number

Type: number

Range: 1-65535

dst-range

Description Match only packets in the range of port numbers (Starting Destination Port Number)

Type: number

Range: 1-65535

Mutual Exclusion: dst-range,dst-eq, dst-gt, and dst-lt are mutually exclusive

dst-subnet

Description Destination Address

Type: string

Format: ipv4-address

Mutual Exclusion: dst-subnet,dst-any, dst-host, and dst-object-group are mutually exclusive

established

Description TCP established

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

ethernet

Description Ethernet interface (Port number)

Type: number

Format: interface

extd-action

Description ‘deny’: Deny; ‘permit’: Permit; ‘l3-vlan-fwd-disable’: Disable L3 forwarding between VLANs;

Type: string

Supported Values: deny, permit, l3-vlan-fwd-disable

extd-remark

Description Access list entry comment (Notes for this ACL)

Type: string

Format: string-rlx

Maximum Length: 63 characters

Maximum Length: 1 characters

extd-seq-num

Description Sequence number

Type: number

Range: 1-8192

fragments

Description IP fragments

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

icmp

Description Internet Control Message Protocol

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: icmp,tcp, udp, ip, and service-obj-group are mutually exclusive

icmp-code

Description ICMP code number

Type: number

Range: 0-254

Mutual Exclusion: icmp-code, any-code, and special-code are mutually exclusive

icmp-type

Description ICMP type number

Type: number

Range: 0-254

Mutual Exclusion: icmp-type, any-type, and special-type are mutually exclusive

ip

Description Any Internet Protocol

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: ip,icmp, tcp, udp, and service-obj-group are mutually exclusive

service-obj-group

Description Service object group (Source object group name)

Type: string

Maximum Length: 63 characters

Maximum Length: 1 characters

Mutual Exclusion: service-obj-group,icmp, tcp, udp, and ip are mutually exclusive

special-code

Description ‘frag-required’: Code 4, fragmentation required; ‘host-unreachable’: Code 1, destination host unreachable; ‘network-unreachable’: Code 0, destination network unreachable; ‘port-unreachable’: Code 3, destination port unreachable; ‘proto-unreachable’: Code 2, destination protocol unreachable; ‘route-failed’: Code 5, source route failed;

Type: string

Supported Values: frag-required, host-unreachable, network-unreachable, port-unreachable, proto-unreachable, route-failed

Mutual Exclusion: special-code, any-code, and icmp-code are mutually exclusive

special-type

Description ‘echo-reply’: Type 0, echo reply; ‘echo-request’: Type 8, echo request; ‘info-reply’: Type 16, information reply; ‘info-request’: Type 15, information request; ‘mask-reply’: Type 18, address mask reply; ‘mask-request’: Type 17, address mask request; ‘parameter-problem’: Type 12, parameter problem; ‘redirect’: Type 5, redirect message; ‘source-quench’: Type 4, source quench; ‘time-exceeded’: Type 11, time exceeded; ‘timestamp’: Type 13, timestamp; ‘timestamp-reply’: Type 14, timestamp reply; ‘dest-unreachable’: Type 3, destination unreachable;

Type: string

Supported Values: echo-reply, echo-request, info-reply, info-request, mask-reply, mask-request, parameter-problem, redirect, source-quench, time-exceeded, timestamp, timestamp-reply, dest-unreachable

Mutual Exclusion: special-type, icmp-type, and any-type are mutually exclusive

src-any

Description Any source host

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: src-any,src-host, src-subnet, and src-object-group are mutually exclusive

src-eq

Description Match only packets on a given source port (port number)

Type: number

Range: 1-65535

Mutual Exclusion: src-eq,src-gt, src-lt, and src-range are mutually exclusive

src-gt

Description Match only packets with a greater port number

Type: number

Range: 1-65534

Mutual Exclusion: src-gt,src-eq, src-lt, and src-range are mutually exclusive

src-host

Description A single source host (Host address)

Type: string

Format: ipv4-address

Mutual Exclusion: src-host,src-any, src-subnet, and src-object-group are mutually exclusive

src-lt

Description Match only packets with a lower port number

Type: number

Range: 2-65535

Mutual Exclusion: src-lt,src-eq, src-gt, and src-range are mutually exclusive

src-mask

Description Source Mask 0=apply 255=ignore

Type: string

Format: ipv4-rev-netmask

src-object-group

Description Network object group (Source network object group name)

Type: string

Maximum Length: 63 characters

Maximum Length: 1 characters

Mutual Exclusion: src-object-group,src-any, src-host, and src-subnet are mutually exclusive

src-port-end

Description Ending Port Number

Type: number

Range: 1-65535

src-range

Description match only packets in the range of port numbers (Starting Port Number)

Type: number

Range: 1-65535

Mutual Exclusion: src-range,src-eq, src-gt, and src-lt are mutually exclusive

src-subnet

Description Source Address

Type: string

Format: ipv4-address

Mutual Exclusion: src-subnet,src-any, src-host, and src-object-group are mutually exclusive

tcp

Description protocol TCP

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: tcp,icmp, udp, ip, and service-obj-group are mutually exclusive

transparent-session-only

Description Only log transparent sessions

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

trunk

Description Ethernet trunk (trunk number)

Type: number

Format: interface

udp

Description protocol UDP

Type: boolean

Supported Values: true, false, 1, 0

Default: 0

Mutual Exclusion: udp,icmp, tcp, ip, and service-obj-group are mutually exclusive

vlan

Description VLAN ID

Type: number

Range: 1-4094