To set conditions
to allow a packet to pass a named IP access list, use the
permit command in access list configuration
mode. To remove a permit condition from an access list, use the
no form of this
command.
[sequence-number] permit source [source-wildcard]
[sequence-number] permit protocol source source-wildcard destination destination-wildcard [option option-name] [precedence precedence] [tos tos] [ttl operator value] [time-range time-range-name] [fragments] [log [user-defined-cookie] ]
no sequence-number
no permit source [source-wildcard]
no permit protocol source source-wildcard destination destination-wildcard [option option-name] [precedence precedence] [tos tos] [ttl operator value] [time-range time-range-name] [fragments] [log [user-defined-cookie] ]
Internet Control Message
Protocol (ICMP)
[sequence-number] permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [ttl operator value] [time-range time-range-name] [fragments] [log [user-defined-cookie] ]
Internet Group Management
Protocol (IGMP)
[sequence-number] permit igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [ttl operator value] [time-range time-range-name] [fragments] [log [user-defined-cookie] ]
Transmission Control
Protocol (TCP)
[sequence-number] permit tcp source source-wildcard [operator [port] ] destination destination-wildcard [operator [port] ] [established {match-any | match-all} {+ | - } flag-name | precedence precedence | tos tos | ttl operator value | log | time-range time-range-name | fragments | log
| [user-defined-cookie] ]
User Datagram Protocol
(UDP)
[sequence-number] permit udp source source-wildcard [operator [port] ] destination destination-wildcard [operator [port] ] [precedence precedence] [tos tos] [ttl operator value] [time-range time-range-name] [fragments] [log [user-defined-cookie] ]
Syntax Description
sequence-number
|
(Optional) Sequence number assigned to the permit statement. The sequence
number causes the system to insert the statement in that numbered position in
the access list.
|
source
|
Number
of the network or host from which the packet is being sent. There are three
alternative ways to specify the source:
-
Use
a 32-bit quantity in four-part dotted-decimal format.
-
Use
the
any keyword
as an abbreviation for a
source and
source-wildcard of 0.0.0.0 255.255.255.255.
-
Use
host
source as an
abbreviation for a
source and
source-wildcard of
source 0.0.0.0.
|
source-wildcard
|
(Optional) Wildcard bits to be applied to the source. There are three
alternative ways to specify the source wildcard:
-
Use
a 32-bit quantity in four-part dotted-decimal format. Place 1s in the bit
positions that you want to ignore.
-
Use
the
any keyword
as an abbreviation for a
source and
source-wildcard of 0.0.0.0 255.255.255.255.
-
Use
host
source as an
abbreviation for a
source and
source-wildcard of
source 0.0.0.0.
|
protocol
|
Name or
number of an Internet protocol. The
protocol
argument can be one of the keywords
eigrp ,
gre ,
icmp ,
igmp ,
ip ,
ipinip ,
nos ,
ospf ,
tcp , or
udp , or an
integer in the range from 0 to 255 representing an Internet protocol number. To
match any Internet protocol (including ICMP, TCP, and UDP), use the
ip keyword.
Note
|
When
the
icmp ,
igmp ,
tcp, and
udp keywords
are entered, they must be followed with the specific command syntax that is
shown for the ICMP, IGMP, TCP, and UDP forms of the
permit
command.
|
Note
|
To
configure a packet filter to allow BGP traffic, use protocol
tcp and
specify the port number as 179 or
bgp
|
|
destination
|
Number
of the network or host to which the packet is being sent. There are three
alternative ways to specify the destination:
-
Use
a 32-bit quantity in four-part dotted-decimal format.
-
Use
the
any keyword as
an abbreviation for the
destination and
destination-wildcard of 0.0.0.0 255.255.255.255.
-
Use
host
destination
as an abbreviation for a
destination and
destination-wildcard of
destination
0.0.0.0.
|
destination-wildcard
|
Wildcard bits to be applied to the destination. There are three alternative
ways to specify the destination wildcard:
-
Use
a 32-bit quantity in four-part dotted-decimal format. Place 1s in the bit
positions that you want to ignore.
-
Use
the
any keyword
as an abbreviation for a
destination and
destination-wildcard of 0.0.0.0 255.255.255.255.
-
Use
host
destination
as an abbreviation for a
destination and
destination-wildcard of
destination
0.0.0.0.
|
option
option-name
|
(Optional) Packets can be filtered by IP Options, as specified by a number from
0 to 255, or by the corresponding IP Option name, as listed in the table in the
“Usage Guidelines” section.
|
precedence
precedence
|
(Optional) Packets can be filtered by precedence level, as specified by a
number from 0 to 7 or by a name.
|
tos
tos
|
(Optional) Packets can be filtered by type of service (ToS) level, as specified
by a number from 0 to 15, or by a name as listed in the “Usage Guidelines”
section of the
access-list (IP extended) command.
|
ttl
operator-value
|
(Optional) Compares the TTL value in the packet to the TTL value specified in
this
permit
statement.
-
The
operator can
be
lt (less
than),
gt (greater
than),
eq (equal),
neq (not
equal), or
range
(inclusive range).
-
The
value can
range from 0 to 255.
-
If
the operator is
range ,
specify two values separated by a space.
-
For
Release 12.0S, if the operator is
eq or
neq , only one
TTL value can be specified.
-
For
all other releases, if the operator is
eq or
neq , as many
as 10 TTL values can be specified, separated by a space.
|
time-range
time-range-name
|
(Optional) Name of the time range that applies to this
permit
statement. The name of the time range and its restrictions are specified by the
time-range
and
absolute or
periodic
commands, respectively.
|
fragments
|
(Optional) The access list entry applies to noninitial fragments of packets;
the fragment is either permitted or denied accordingly. For more details about
the
fragments
keyword, see the "Access List Processing of Fragments” and “Fragments and
Policy Routing” sections in the “Usage Guidelines” section.
|
log
|
(Optional) Causes an informational logging message about the packet that
matches the entry to be sent to the console. (The level of messages logged to
the console is controlled by the
logging
console command.)
After
you specify the
log keyword
(and the associated
word
argument), you cannot specify any other keywords or settings for this command.
|
user-defined-cookie
|
(Optional) User-defined cookie appended to the log message. The cookie:
-
Cannot be more than 64 characters.
-
Cannot start with hexadecimal notation (such as 0x).
-
Cannot be the same as, or a subset of, the following keywords:
fragment,
reflect ,
time-range.
-
Must contain alphanumeric characters only.
The
user-defined cookie is appended to the Allegro Crypto Engine (ACE) syslog entry
and uniquely identifies the ACE, within the access control list, that generated
the syslog entry.
|
icmp
|
Permits
only ICMP packets. When you enter the
icmp keyword,
you must use the specific command syntax shown for the ICMP form of the
permit
command.
|
icmp-type
|
(Optional) ICMP packets can be filtered by ICMP message type. The type is a
number from 0 to 255.
|
icmp-code
|
(Optional) ICMP packets that are filtered by ICMP message type can also be
filtered by the ICMP message code. The code is a number from 0 to 255.
|
icmp-message
|
(Optional) ICMP packets can be filtered by an ICMP message type name or an ICMP
message type and code name. The possible names are listed in the “Usage
Guidelines” section of the
access-list (IP extended) command.
|
igmp
|
Permits
only IGMP packets. When you enter the
igmp keyword,
you must use the specific command syntax shown for the IGMP form of the
permit
command.
|
igmp-type
|
(Optional) IGMP packets can be filtered by IGMP message type or message name. A
message type is a number from 0 to 15. IGMP message names are listed in the
“Usage Guidelines” section of the
access-list (IP extended) command.
|
tcp
|
Permits
only TCP packets. When you enter the
tcp keyword,
you must use the specific command syntax shown for the TCP form of the
permit
command.
|
operator
|
(Optional) Compares source or destination ports. Operators are
eq (equal) ,
gt (greater
than),lt (less
than),
neq (not
equal), and
range
(inclusive range).
If the
operator is positioned after the source and source-wildcard arguments, it must
match the source port. If the operator is positioned after the destination and
destination-wildcard arguments, it must match the destination port.
The
range operator requires two port numbers. Up to ten port numbers can be entered
for the
eq (equal)
and
neq (not
equal) operators. All other operators require one port number.
|
port
|
(Optional) The decimal number or name of a TCP or UDP port. A port number is a
number from 0 to 65535. TCP and UDP port names are listed in the “Usage
Guidelines” section of the
access-list
(IP
extended) command.
TCP
port names can be used only when filtering TCP. UDP port names can be used only
when filtering UDP.
|
established
|
(Optional) For the TCP protocol only: Indicates an established connection. A
match occurs if the TCP datagram has the ACK or RST bit set. The nonmatching
case is that of the initial TCP datagram to form a connection.
|
match-any
|
match-all
|
(Optional) For the TCP protocol only: A match occurs if the TCP datagram has
certain TCP flags set or not set. You use the
match-any keyword to allow a match to occur if any
of the specified TCP flags are present, or you can use the
match-all keyword to allow a match to occur only if
all of the specified TCP flags are present. You must follow the
match-any and
match-all keywords with the
+ or
- keyword and
the
flag-name argument to match on one or more TCP
flags.
|
+
|
-
flag-name
|
(Optional) For the TCP protocol only: The
+ keyword
matches IP packets if their TCP headers contain the TCP flags that are
specified by the
flag-name
argument. The
- keyword
matches IP packets that do not contain the TCP flags specified by the
flag-name
argument. You must follow the
+ and
- keywords
with the
flag-name
argument. TCP flag names can be used only when filtering TCP. Flag names for
the TCP flags are as follows:
ack ,
fin ,
psh ,
rst ,
syn , and
urg .
|
udp
|
Permits
only UDP packets. When you enter the
udp keyword,
you must use the specific command syntax shown for the UDP form of the
permit
command.
|
Command Default
There are no
specific conditions under which a packet passes the named access list.
Command Modes
Access list configuration (config-ext-nacl)
Command History
Release
|
Modification
|
11.2
|
This
command was introduced.
|
12.0(1)T
|
The
time-range
time-range-name keyword and argument were added.
|
12.0(11)
|
The
fragments keyword was added.
|
12.2(13)T
|
The
igrp keyword was removed because the IGRP protocol was no longer available in
Cisco IOS software.
|
12.2(14)S
|
The
sequence-number argument was added.
|
12.2(15)T
|
The
sequence-number argument was added.
|
12.3(4)T
|
The
option
option-name
keyword and argument were added. The
match-any ,
match-all,
+, and
- keywords and the
flag-name
argument were added.
|
12.3(7)T
|
Command
functionality was modified to allow up to ten port numbers to be added after
the
eq and
neq operators
so that an access list entry can be created with noncontiguous ports.
|
12.4
|
The
drip keyword
was added to specify the TCP port number used for Optimized Edge Routing (OER)
communication.
|
12.4(2)T
|
The
ttl
operator
value keyword and arguments were added.
|
12.2(27)SBC
|
This
command was integrated into Cisco IOS Release 12.2(27)SBC.
|
12.2(33)SRA
|
This
command was integrated into Cisco IOS Release 12.2(33)SRA.
|
12.2SX
|
This
command is supported in the Cisco IOS Release 12.2SX train. Support in a
specific 12.2SX release of this train depends on your feature set, platform,
and platform hardware.
|
12.4(22)T
|
The
word argument
was added to the
log keyword.
|
Cisco
IOS XE Release 3.2
|
This
command was implemented on Cisco ASR 1000 Series Aggregation Services Routers.
|
Usage Guidelines
Use the
permit
command following the
ip
access-list command to define the conditions under
which a packet passes the named access list.
Note |
In Cisco IOS
XE, an inclusive port range for users to access a network cannot be matched in
the extended ACL using the
permit
command.
|
The
time-range
keyword allows you to identify a time range by name. The
time-range ,
absolute , and
periodic
commands specify when this
permit
statement is in effect.
log Keyword
A log message
includes the access list number or access list name, and whether the packet was
permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number;
and, if appropriate, the source and destination addresses and port numbers, and
the user-defined cookie or router-generated hash value. The message is
generated for the first packet that matches, and then at 5-minute intervals,
including the number of packets permitted or denied in the prior 5-minute
interval.
Use the
ip
access-list
log-update command to generate logging messages
when the number of matches reaches a configurable threshold (rather than
waiting for a 5-minute-interval). See the
ip
access-list
log-update command for more information.
The logging
facility might drop some logging message packets if there are too many to be
handled or if there is more than one logging message to be handled in 1 second.
This behavior prevents the router from reloading because of too many logging
packets. Therefore, the logging facility should not be used as a billing tool
or an accurate source of the number of matches to an access list.
If you enable
Cisco Express Forwarding and then create an access list that uses the
log keyword,
the packets that match the access list are not Cisco Express Forwarding
switched. They are fast-switched. Logging disables Cisco Express Forwarding .
Access List
Filtering of IP Options
Access control
lists can be used to filter packets with IP Options to prevent routers from
being saturated with spurious packets containing IP Options. To see a complete
table of all IP Options, including ones currently not in use, refer to the
latest Internet Assigned Numbers Authority (IANA) information that is available
from its URL: www.iana.org.
Cisco IOS
software allows you to filter packets according to whether they contain one or
more of the legitimate IP Options by entering either the IP Option value or the
corresponding name for the
option-name
argument as shown in the table below.
Table 9. IP Option Values and Names
IP Option
Value or Name
|
Description
|
0 to 255
|
IP
Options values.
|
add-ext
|
Match
packets with Address Extension Option (147).
|
any-options
|
Match
packets with any IP Option.
|
com-security
|
Match
packets with Commercial Security Option (134).
|
dps
|
Match
packets with Dynamic Packet State Option (151).
|
encode
|
Match
packets with Encode Option (15).
|
eool
|
Match
packets with End of Options (0).
|
ext-ip
|
Match
packets with Extended IP Options (145).
|
ext-security
|
Match
packets with Extended Security Option (133).
|
finn
|
Match
packets with Experimental Flow Control Option (205).
|
imitd
|
Match
packets with IMI Traffic Descriptor Option (144).
|
lsr
|
Match
packets with Loose Source Route Option (131).
|
mtup
|
Match
packets with MTU Probe Option (11).
|
mtur
|
Match
packets with MTU Reply Option (12).
|
no-op
|
Match
packets with No Operation Option (1).
|
nsapa
|
Match
packets with NSAP Addresses Option (150).
|
psh
|
Match the
packets on the PSH bit.
|
record-route
|
Match
packets with Router Record Route Option (7).
|
reflect
|
Create
reflexive access list entry.
|
router-alert
|
Match
packets with Router Alert Option (148).
|
rst
|
Matche
the packets on the RST bit.
|
sdb
|
Match
packets with Selective Directed Broadcast Option (149).
|
security
|
Match
packets with Base Security Option (130).
|
ssr
|
Match
packets with Strict Source Routing Option (137).
|
stream-id
|
Match
packets with Stream ID Option (136).
|
syn
|
Matches
the packets on the SYN bit.
|
timestamp
|
Match
packets with Time Stamp Option (68).
|
traceroute
|
Match
packets with Trace Route Option (82).
|
ump
|
Match
packets with Upstream Multicast Packet Option (152).
|
visa
|
Match
packets with Experimental Access Control Option (142).
|
zsu
|
Match
packets with Experimental Measurement Option (10).
|
Filtering IP
Packets Based on TCP Flags
The access list
entries that make up an access list can be configured to detect and drop
unauthorized TCP packets by allowing only the packets that have very specific
groups of TCP flags set or not set. Users can select any desired combination of
TCP flags with which to filter TCP packets. Users can configure access list
entries in order to allow matching on a flag that is set and on a flag that is
not set. Use the
+ and
- keywords
with a flag name to specify that a match is made based on whether a TCP header
flag has been set. Use the
match-any and
match-all
keywords to allow the packet if any or all, respectively, of the flags
specified by the
+ or
- keyword and
flag-name
argument have been set or not set.
Permitting
Optimized Edge Routing (OER) Communication
The drip keyword was introduced under the tcp keyword to support packet filtering in a network where OER is configured. The drip keyword specifies port 3949 that OER uses for internal communication. This option allows you to build a packet filter that
permits communication between an OER primary controller and border routers. The drip keyword is entered following the TCP source, destination addresses, and the eq operator. See the example in the “Examples” section.
Access List
Processing of Fragments
The behavior of
access list entries regarding the use or lack of use of the
fragments
keyword can be summarized as follows:
If the
Access-List Entry Has ...
|
Then
...
|
... no
fragments
keyword (the default behavior), and assuming all of the access list entry
information matches,
|
For an
access list entry that contains only Layer 3 information, the entry is applied
to nonfragmented packets, initial fragments, and noninitial fragments.
For an
access list entry that contains Layer 3 and Layer 4 information:
-
The
entry is applied to nonfragmented packets and initial fragments.
- If the entry is a
permit statement, then the packet or fragment is
permitted.
- If the entry is a
deny statement, then the packet or fragment is
denied.
-
The
entry is also applied to noninitial fragments in the following manner. Because
noninitial fragments contain only Layer 3 information, only the Layer 3 portion
of an access list entry can be applied. If the Layer 3 portion of the access
list entry matches, and
- If the entry is a
permit statement, then the noninitial fragment is
permitted.
- If the entry is a
deny
statement, then the next access list entry is processed.
Note
|
The
deny
statements are handled differently for noninitial fragments versus
nonfragmented or initial fragments.
|
|
... the
fragments
keyword, and assuming all of the access list entry information matches,
|
The
access list entry is applied only to noninitial fragments. The
fragments
keyword cannot be configured for an access list entry that contains any Layer 4
information.
|
Be aware that you
should not add the
fragments
keyword to every access list entry because the first fragment of the IP packet
is considered a nonfragment and is treated independently of the subsequent
fragments. An initial fragment will not match an access list
permit or
deny entry
that contains the
fragments keyword. The packet is compared to the
next access list entry, and so on, until it is either permitted or denied by an
access list entry that does not contain the
fragments
keyword. Therefore, you may need two access list entries for every
deny entry.
The first
deny entry of
the pair will not include the
fragments
keyword and applies to the initial fragment. The second
deny entry of
the pair will include the
fragments
keyword and applies to the subsequent fragments. In the cases in which there
are multiple
deny access
list entries for the same host but with different Layer 4 ports, a single
deny access
list entry with the
fragments
keyword for that host is all that needs to be added. Thus all the fragments of
a packet are handled in the same manner by the access list.
Packet fragments
of IP datagrams are considered individual packets, and each counts individually
as a packet in access list accounting and access list violation counts.
Note |
The
fragments keyword cannot solve all cases that
involve access lists and IP fragments.
|
Fragments and
Policy Routing
Fragmentation and
the fragment control feature affect policy routing if the policy routing is
based on the
match
ip
address command and the access list has entries
that match on Layer 4 through 7 information. It is possible that noninitial
fragments pass the access list and are policy-routed, even if the first
fragment is not policy-routed.
If you specify
the
fragments
keyword in access list entries, a better match between the action taken for
initial and noninitial fragments can be made, and it is more likely that policy
routing will occur as intended.
Creating an
Access List Entry with Noncontiguous Ports
For Cisco IOS
Release 12.3(7)T and later releases, you can specify noncontiguous ports on the
same access control entry, which greatly reduces the number of access list
entries required for the same source address, destination address, and
protocol. If you maintain large numbers of access list entries, we recommend
that you consolidate them when possible by using noncontiguous ports. You can
specify up to ten port numbers following the
eq and
neq
operators.
Examples
The following
example shows how to set conditions for a standard access list named
Internetfilter:
ip access-list standard Internetfilter
deny 192.168.34.0 0.0.0.255
permit 172.16.0.0 0.0.255.255
permit 10.0.0.0 0.255.255.255
! (Note: all other access implicitly denied).
The following
example shows how to permit Telnet traffic on Mondays, Tuesdays, and Fridays
from 9:00 a.m. to 5:00 p.m.:
time-range testing
periodic Monday Tuesday Friday 9:00 to 17:00
!
ip access-list extended legal
permit tcp any any eq telnet time-range testing
!
interface ethernet0
ip access-group legal in
The following
example shows how to set a permit condition for an extended access list named
filter2. The access list entry specifies that a packet may pass the named
access list only if it contains the NSAP Addresses IP Option, which is
represented by the IP Option value nsapa.
ip access-list extended filter2
permit ip any any option nsapa
The following
example shows how to set a permit condition for an extended access list named
kmdfilter1. The access list entry specifies that a packet can pass the named
access list only if the RST IP flag has been set for that packet:
ip access-list extended kmdfilter1
permit tcp any any match-any +rst
The following
example shows how to set a permit condition for an extended access list named
kmdfilter1. The access list entry specifies that a packet can pass the named
access list if the RST TCP flag or the FIN TCP flag has been set for that
packet:
ip access-list extended kmdfilter1
permit tcp any any match-any +rst +fin
The following
example shows how to verify the access list by using the
show
access-lists command and then to add an entry to
an existing access list:
Router# show access-lists
Standard IP access list 1
2 permit 10.0.0.0, wildcard bits 0.0.255.255
5 permit 10.0.0.0, wildcard bits 0.0.255.255
10 permit 10.0.0.0, wildcard bits 0.0.255.255
20 permit 10.0.0.0, wildcard bits 0.0.255.255
ip access-list standard 1
15 permit 10.0.0.0 0.0.255.255
The following
examples shows how to remove the entry with the sequence number of 20 from the
access list:
ip access-list standard 1
no 20
!Verify that the list has been removed.
Router# show access-lists
Standard IP access list 1
10 permit 0.0.0.0, wildcard bits 0.0.0.255
30 permit 0.0.0.0, wildcard bits 0.0.0.255
40 permit 0.4.0.0, wildcard bits 0.0.0.255
The following
example shows how, if a user tries to enter an entry that is a duplicate of an
entry already on the list, no changes occur. The entry that the user is trying
to add is a duplicate of the entry already in the access list with a sequence
number of 20.
Router# show access-lists 101
Extended IP access list 101
10 permit ip host 10.0.0.0 host 10.5.5.34
20 permit icmp any any
30 permit ip host 10.0.0.0 host 10.2.54.2
40 permit ip host 10.0.0.0 host 10.3.32.3 log
ip access-list extended 101
100 permit icmp any any
Router# show access-lists 101
Extended IP access list 101
10 permit ip host 10.3.3.3 host 10.5.5.34
20 permit icmp any any
30 permit ip host 10.34.2.2 host 10.2.54.2
40 permit ip host 10.3.4.31 host 10.3.32.3 log
The following
example shows what occurs if a user tries to enter a new entry with a sequence
number of 20 when an entry with a sequence number of 20 is already in the list.
An error message appears, and no change is made to the access list.
Router# show access-lists 101
Extended IP access lists 101
10 permit ip host 10.3.3.3 host 10.5.5.34
20 permit icmp any any
30 permit ip host 10.34.2.2 host 10.2.54.2
40 permit ip host 10.3.4.31 host 10.3.32.3 log
ip access-lists extended 101
20 permit udp host 10.1.1.1 host 10.2.2.2
%Duplicate sequence number.
Router# show access-lists 101
Extended IP access lists 101
10 permit ip host 10.3.3.3 host 10.5.5.34
20 permit icmp any any
30 permit ip host 10.34.2.2 host 10.2.54.2
40 permit ip host 10.3.4.31 host 10.3.32.3 log
The following
example shows several
permit
statements that can be consolidated into one access list entry with
noncontiguous ports. The
show
access-lists command is entered to display a group
of access list entries for the access list named aaa.
Router# show access-lists aaa
Extended IP access lists aaa
10 permit tcp any eq telnet any eq 450
20 permit tcp any eq telnet any eq 679
30 permit tcp any eq ftp any eq 450
40 permit tcp any eq ftp any eq 679
Because the
entries are all for the same
permit
statement and simply show different ports, they can be consolidated into one
new access list entry. The following example shows the removal of the redundant
access list entries and the creation of a new access list entry that
consolidates the previously displayed group of access list entries:
ip access-list extended aaa
no 10
no 20
no 30
no 40
permit tcp any eq telnet ftp any eq 450 679
The following
example shows the creation of the consolidated access list entry:
Router# show access-lists aaa
Extended IP access list aaa
10 permit tcp any eq telnet ftp any eq 450 679
The following
access list filters IP packets containing Type of Service (ToS) level 3 with
TTL values 10 and 20. It also filters IP packets with a TTL greater than 154
and applies that rule to noninitial fragments. It permits IP packets with a
precedence level of flash and a TTL not equal to 1, and sends log messages
about such packets to the console. All other packets are denied.
ip access-list extended canton
deny ip any any tos 3 ttl eq 10 20
deny ip any any ttl gt 154 fragments
permit ip any any precedence flash ttl neq 1 log
The following example shows how to configure a packet filter, for any TCP source and destination, that permits communication
between a primary OER controller and the border router:
ip access-list extended 100
permit any any tcp eq drip
exit
The following
example shows how to set a permit condition for an extended access list named
filter_logging. The access list entry specifies that a packet may pass the
named access list only if it is of TCP protocol type and destined to host
10.5.5.5, all other packets are denied. In addition, the logging mechanism is
enabled and one of the user defined cookies (Permit_tcp_to_10.5.5.5 or
Deny_all) is appended to the appropriate syslog entry.
ip access-list extended filter_logging
permit tcp any host 10.5.5.5 log Permit_tcp_to_10.5.5.5
deny ip any any log Deny_all
The following
example shows how to configure a packet filter for any TCP source and
destination that permits inbound and outbound BGP traffic:
ip access-list extended 100
permit tcp any eq bgp any eq bgp