Cisco AP775A - Nexus Converged Network Switch 5010 Command Reference Manual page 376

deny (IPv6)
S e n d c o m m e n t s t o n x 5 0 0 0 - d o c f e e d b a c k @ c i s c o . c o m
log
time-range
time-range-name
icmp-message
operator port [port]
portgroup portgroup
Cisco Nexus 5000 Series Command Reference
6-28
(Optional) Specifies that the device generates an informational logging
message about each packet that matches the rule. The message includes the
following information:
ACL name
•
Whether the packet was permitted or denied
•
Whether the protocol was TCP, UDP, ICMP or a number
•
Source and destination addresses and, if applicable, source and
•
destination port numbers
(Optional) Specifies the time range that applies to this rule. You can
configure a time range by using the time-range command.
(ICMP only: Optional) ICMPv6 message type that the rule matches. This
argument can be an integer from 0 to 255 or one of the keywords listed under
"ICMPv6 Message Types" in the "Usage Guidelines" section.
(Optional; TCP, UDP, and SCTP only) Rule matches only packets that are
from a source port or sent to a destination port that satisfies the conditions
of the operator and port arguments. Whether these arguments apply to a
source port or a destination port depends upon whether you specify them
after the source argument or after the destination argument.
The port argument can be the name or the number of a TCP or UDP port.
Valid numbers are integers from 0 to 65535. For listings of valid port names,
see "TCP Port Names" and "UDP Port Names" in the "Usage Guidelines"
section.
A second port argument is required only when the operator argument is a
range.
The operator argument must be one of the following keywords:
eq—Matches only if the port in the packet is equal to the port argument.
•
gt—Matches only if the port in the packet is greater than the port
•
argument.
lt—Matches only if the port in the packet is less than the port argument.
•
neq—Matches only if the port in the packet is not equal to the port
•
argument.
range—Requires two port arguments and matches only if the port in the
•
packet is equal to or greater than the first port argument and equal to or
less than the second port argument.
(Optional; TCP, UDP, and SCTP only) Specifies that the rule matches only
packets that are from a source port or to a destination port that is a member
of the IP port-group object specified by the portgroup argument. Whether the
port-group object applies to a source port or a destination port depends upon
whether you specify it after the source argument or after the destination
argument.
Use the object-group ip port command to create and change IP port-group
objects.
Chapter 6 Security Commands
OL-16599-01