Ip Access Control List Commands; Access-List - Ubiquiti EDGESWITCH ES-24-250W Command Reference Manual

EdgeSwitch CLI Command Reference

IP Access Control List Commands

This section describes the commands you use to configure IP Access Control List (ACL) settings. IP ACLs ensure
that only authorized users have access to specific resources and block any unwarranted attempts to reach
network resources.
The following rules apply to IP ACLs:
• EdgeSwitch software does not support IP ACL configuration for IP packet fragments.
• The maximum number of ACLs you can create is hardware dependent. The limit applies to all ACLs, regardless
of type.
• The maximum number of rules per IP ACL is hardware dependent.
• Wildcard masking for ACLs operates differently from a subnet mask. A wildcard mask is in essence the inverse
of a subnet mask. With a subnet mask, the mask has ones (1's) in the bit positions that are used for the
network address, and has zeros (0's) for the bit positions that are not used. In contrast, a wildcard mask has
(0's) in a bit position that must be checked. A 1 in a bit position of the ACL mask indicates the corresponding
bit can be ignored.

access-list

This command creates an IP Access Control List (ACL) that is identified by the access list number, which is 1-99 for
standard ACLs or 100-199 for extended ACLs. Table 14 describes the parameters for the
IP Standard ACL:
access-list 1-99 {deny | permit} {every | srcip srcmask} [log] [time-range time-
Format
range-name] [assign-queue queue-id] [{mirror | redirect} slot/port]
Mode Global Config
IP Extended ACL:
access-list 100-199 {deny | permit} {every | {{eigrp | gre | icmp | igmp |
Format
ip | ipinip | ospf | pim | tcp | udp | 0-255} {srcip srcmask|any|host srcip}
[range {portkey|startport} {portkey|endport} {eq|neq|lt|gt} {portkey|0-65535}]
{dstip dstmask|any|host dstip} [range {portkey|startport} {portkey|endport}
{eq|neq|lt|gt} {portkey|0-65535}] [flag [+fin|-fin] [+syn|-syn] [+rst|-rst]
[+psh|-psh] [+ack|-ack] [+urg|-urg] [established]] [icmp-type icmp-type [icmp-
code icmp-code] | icmp-message icmp-message] [igmp-type igmp-type] [fragments]
[precedence precedence | tos tos [tosmask] | dscp dscp]}} [time-range time-
range-name] [log] [assign-queue queue-id] [{mirror | redirect} slot/port]
[rate-limit rate burst-size]
Mode Global Config
Note: IPv4 extended ACLs have the following limitations for egress ACLs:
• Match on port ranges is not supported.
rate-limit
• The
Parameter
1-99 or 100-199
{deny | permit}
every
{eigrp | gre | icmp
| igmp | ip | ipinip
| ospf | pim | tcp |
udp | 0-255}
srcip srcmask |
any |
host scrip
Ubiquiti Networks, Inc.
command is not supported.
Table 14. ACL Command Parameters
Description
Range 1 to 99 is the access list number for an IP standard ACL. Range 100 to 199 is the access list
number for an IP extended ACL.
Specifies whether the IP ACL rule permits or denies an action.
Match every packet.
Specifies the protocol to filter for an extended IP ACL rule.
Specifies a source IP address and source netmask for match condition of the IP ACL rule.
any
Specifying specifies the source IP as 0.0.0.0 and the source IP mask as 255.255.255.255.
host A.B.C.D
Specifying specifies the source IP as A.B.C.D and source IP mask as 0.0.0.0.
Quality of Service Commands
access-list
command.
394