sequence-number
|
(Optional) Number of the
permit
statement in the access list. This number determines the order of the statements in the access list. Range is from 1 to 2147483644.
(By default, the first statement is number 10, and the subsequent statements are incremented by 10.)
|
protocol
|
Name or number of an Internet protocol. It can be one of the keywords
ahp ,
esp , ,
icmp ,
igmp ,
igrp ,
isinip ,
ipv6 ,
nos ,
ospf ,
pcp ,
sctp ,
tcp , or
udp , or an integer that ranges from 0 to 255, representing an IPv6 protocol number.
|
source-ipv6-prefix
/
prefix-length
|
Source
IPv6 network or class of networks about which permit conditions are to be set.
This
argument must be in the form documented in RFC 2373, where the address is
specified in hexadecimal using 16-bit values between colons.
|
any
|
An
abbreviation for the IPv6 prefix ::/0.
|
capture
|
Captures matching traffic.
When the acl command is configured on the source mirroring port, if the ACL configuration command does not use the
capture
keyword, no traffic gets mirrored. If the ACL configuration uses the
capture
keyword, but the acl command is not configured on the source port, then the whole port traffic is mirrored and the
capture
action does not have any effect.
|
host
source-ipv6-address
|
Source
IPv6 host address about which to set permit conditions.
This
source-ipv6-address
argument must be in the form documented in RFC 2373
where the address is specified in hexadecimal using 16-bit values between
colons.
|
ipv6-wildcard-mask
|
IPv6
wildcard mask. The IPv6 wildcard mask can take any IPv6 address value which is
used instead of prefix length.
|
vrf
vrf-name
|
Specifies
VPN routing and forwarding (VRF) instance.
|
operator {port | protocol-port}
|
(Optional)
Operand that compares the source or destination ports of the specified
protocol. Operands are
lt
(less than),
gt
(greater than),
eq
(equal),
neq
(not equal), and
range (inclusive range).
If the
operator is positioned after the
source-ipv6-prefix
/
prefix-length
argument, it must match the source port.
If the
operator is positioned after the
destination-ipv6-prefix
/
prefix-length
argument, it must match the destination port.
The
range operator requires two port numbers. All other
operators require one port number.
The
port
argument is the decimal number of a TCP or UDP port. A
port number is a number whose range is from 0 to 65535. The
protocol-port
argument is the name of a TCP or UDP port. TCP port
names can be used only when filtering TCP. UDP port names can be used only when
filtering UDP.
|
destination-ipv6-prefix
/
prefix-length
|
Destination IPv6 network or class of networks about which permit
conditions are to be set.
This
argument must be in the form documented in RFC 2373, where the address is
specified in hexadecimal using 16-bit values between colons.
|
host
destination-ipv6-address
|
Specifies
the destination IPv6 host address about which permit conditions are to be set.
This
destination-ipv6-address
argument must be in the form documented in RFC 2373,
where the address is specified in hexadecimal using 16-bit values between
colons.
|
dscp
value
|
(Optional)
Matches a differentiated services code point (DSCP) value against the traffic
class value in the Traffic Class field of each IPv6 packet header. Range is
from 0 to 63.
|
routing
|
(Optional)
Matches source-routed packets against the routing extension header within each
IPv6 packet header.
|
hop-by-hop
|
(Optional) Supports Jumbo-grams. With the Router Alert option, it is an integral part in the operation of Multicast Listener
Discovery (MLD). Router Alert [3] is an integral part in the operations of IPv6 Multicast through MLD and RSVP for IPv6.
|
authen
|
(Optional)
Matches if the IPv6 authentication header is present.
|
destopts
|
(Optional)
Matches if the IPv6 destination options header is present.
|
fragments
|
(Optional)
Matches noninitial fragmented packets where the fragment extension header
contains a nonzero fragment offset. The
fragments
keyword is an option available only if the
operator
[
port-number
] arguments are not specified.
|
log
|
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The
level of messages logged to the console is controlled by the logging console command.)
The message includes the access list name and sequence number, and whether the packet is permitted; the protocol, and whether
it is TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port
numbers. The message is generated for the first matching packet, and then at 5-minute intervals, including the number of packets
permitted in the prior 5-minute interval.
|
log-input
|
(Optional) Provides the same function as the log keyword, except that the log-message also includes the input interface.
|
ttl
|
(Optional)
Turns on matching against time-to-live (TTL) value.
|
operator
|
(Optional)
Operand that compares the source or destination ports of the specified
protocol. Operands are
lt
(less than),
gt
(greater than),
eq
(equal),
neq
(not equal), and
range (inclusive range).
|
ttl
value
[value1 value2]
|
(Optional)
TTL value used for filtering. Range is from 1 to 255.
If only
value
is specified, the match is against this value.
If both
value1
and
value2
are specified, the packet TTL is matched against the
range of TTLs between
value1
and
value2
.
|
icmp-type
|
(Optional)
ICMP message type for filtering ICMP packets. Range is from 0 to 255.
|
icmp-code
|
(Optional)
ICMP message code for filtering ICMP packets. Range is from 0 to 255.
|
established
|
(Optional)
For the TCP protocol only: Indicates an established connection.
|
match-any
|
(Optional)
For the TCP protocol only: Filters on any combination of TCP flags.
|
match-all
|
(Optional)
For the TCP protocol only: Filters on all TCP flags.
|
+
|
-
|
(Required)
For the TCP protocol
match-any
,
match-all
: Prefix
flag-name
with
+
or
-
. Use the +
flag-name
argument to match packets with the TCP flag set. Use
the -
flag-name
argument to match packets when the TCP flag is not set.
|
flag-name
|
(Required) For the TCP protocol
match-any ,
match-all . Flag names are:
ack ,
fin ,
psh ,
rst ,
syn ,
urg .
|
counter
|
(Optional)
Enables accessing ACL counters using SNMP query.
|
counter-name
|
Defines an
ACL counter name.
|