NOTE:
Using "any" specifies that all IP protocols are permitted. The permit "any" does not imply that
other protocols running over IP (e.g., TCP, UDP, etc.) are "permitted" .
Example
The following example configures an ACE called "Dell" to allow RSVP protocol traffic from IP
address 12.1.1.1, mask 0.0.0.0 and DSCP 56.
Console (config)# ip access-list Dell
Console (config-ip-al)# permit rsvp 12.1.1.1 0.0.0.0 any dscp 56
deny (IP)
The deny IP access-list configuration command denies traffic if the conditions defined in the deny
statement are matched.
Syntax
deny [disable-port] {any| protocol} {any | {source source-wildcard}} {any | {destination
destination-wildcard}} [dscp dscp number | ip-precedence ip-precedence]
deny-tcp [disable-port] {any | {source source-wildcard}} {any |source-port} {any |
{destination destination-wildcard}} {any |destination-port} [dscp dscp number | ip-
precedence ip-precedence]
deny-udp [disable-port] {any | {source source-mask}} {any | source-port} {any |
{destination destination-mask}} {any | destination-port} [dscp dscp number | ip-precedence
ip-precedence]
•
disable-port—If the statement is deny, then the port is disabled.
•
Source IP address can be one of the following:
–
any—Packets received from any IP address.
–
source source-wildcard—IP address and wildcard for host from which the packet is
sent. Specify the IP address as 0.0.0.0 and mask as 255.255.255.255.
•
Destination IP address can be one of the following:
–
any—Packets sent to any IP address.
–
destination destination-wildcard—IP address and wildcard for host to which the
packet is sent. Specify the IP address as 0.0.0.0 and mask as 255.255.255.255.
•
protocol—The name or the number of an IP protocol. Use "?" to see list of available
protocols (icmp, igmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6-route, ipv6-frag,
idrp, rsvp, gre, esp, ah, ipv6-icmp, eigrp, ospf, ipip, pim, l2tp, isis) use any for all
protocols
•
destination-port—Specifies the UDP/TCP destination port. Use any for all ports.
79
ACL Commands