ip access-list tcp|udp

Use this command to define a named access control list (ACL) that determines whether to accept or drop an incoming TCP or UDP IP packet based on the specified match criteria. This form of command filters packets based on source and destination IP address along with protocol (TCP or UDP) and port.

Use the no form of this command to remove an ACL specification.

 

Configuring same filter again with change of sequence number or change of action will result in update of sequence number or filter action.
TCP flags options and range options like neq, gt, lt and range are not supported by hardware in egress direction.
Both Ack and established flag in tcp have same functionality in hardware.
neq option from IPv4 access list configuration should removed for Qumran2 Series Platform.

Command Syntax

Copy 
(<1-268435453>|) (deny|permit) tcp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime|discard|domain|drip|echo |exec|finger|ftp |ftp-data|gopher|hostname|ident|irc|klogin|kshell|login |lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet|time| uucp|whois|www)| range <0-65535> <0-65535>|) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535>|bgp|chargen|cmd|daytime|discard|domain| drip|echo|exec|finger|ftp|ftp-data|gopher|hostname|ident|irc|klogin|kshell|login |lpd|nntp|pim-auto- rp|pop2|pop3|smtp|ssh|sunrpc|tacacs|talk|telnet |time|uucp|whois|www|netconf-ssh|netconf-tls) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) |
(precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine)) |) ({ack|established|fin|psh|rst|syn|urg}|) vlan <1-4094>|)(inner-vlan <1-4094>|) 

(<1-268435453>|) (deny|permit) udp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535>|biff|bootpc|bootps|discard|dnsix|domain| echo|isakmp|mobile-ip |nameserver | netbios-dgm | netbios-ns| netbios-ss|non500-isakmp|ntp|pim-auto-rp|rip|snmp|snmptrap|sunrpc|syslog|tacacs|talk|tftp |time|who|xdmcp) | range <0-65535> <0-65535>|) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt |lt|neq)(<0-65535> |biff |bootpc |bootps| discard| dnsix| domain| echo| isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp |ntp|pim-auto- rp| rip| snmp| snmptrap| sunrpc| syslog| tacacs| talk| tftp| time| who| xdmcp) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) |
(precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine))|) (vlan <1-4094>|)(inner-vlan <1-4094>|) 

no (<1-268435453>|) (deny|permit) tcp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any)((eq|gt|lt|neq) (<0-65535>| bgp| chargen| cmd| daytime| discard| domain| drip| echo|exec|finger|ftp |ftp-data |gopher |hostname| ident| irc| klogin| kshell|login|lpd|nntp|pim-auto-rp |pop2 |pop3 |smtp| ssh| sunrpc| tacacs |talk|telnet|time|uucp|whois|www|netconf-ssh|netconf-tls) | range <0-65535> <0-65535>|) (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any)((eq|gt|lt|neq) (<0-65535> |bgp |chargen |cmd |daytime|discard|domain|drip|echo|exec|finger|ftp|ftp-data| gopher| hostname| ident| irc| klogin| kshell| login| lpd| nntp| pim-auto-rp | pop2| pop3| smtp |ssh |sunrpc|tacacs|talk|telnet|time|uucp|whois|www) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) |
(precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine)) |) ({ack|established|fin|psh|rst|syn|urg}|)(vlan <1-4094>|)(inner-vlan <1-4094>|)

no (<1-268435453>|)(deny|permit) udp (A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D|any) ((eq|gt|lt|neq) (<0-65535> |biff| bootpc| bootps| discard| dnsix| domain|echo|isakmp|mobile-ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp|ntp|pim-auto-rp|rip|snmp|snmptrap|sunrpc|syslog|tacacs|talk| tftp|time|who|xdmcp) | range <0-65535> <0-65535>|)(A.B.C.D/M|A.B.C.D A.B.C.D|host A.B.C.D| any) ((eq|gt|lt|neq) (<0-65535> |biff| bootpc| bootps| discard| dnsix| domain|echo| isakmp|mobile- ip|nameserver|netbios-dgm|netbios-ns|netbios-ss|non500-isakmp| ntp|pim-auto-rp|rip|snmp|snmptrap|sunrpc|syslog| tacacs|talk|tftp|time|who|xdmcp) | range <0-65535> <0-65535>|) ((dscp (<0-63>| af11| af12| af13| af21| af22| af23| af31| af32| af33| af41| af42| af43| cs1| cs2| cs3| cs4| cs5| cs6| cs7| default| ef)) | 
(precedence (<0-7>| critical| flash | flashoverride| immediate| internet| network| priority| routine)) |)(vlan <1-4094>|)(inner-vlan <1-4094>|)
        
            

Parameters

<1-268435453>

IPv4 ACL sequence number.

deny

Drop the packet.

permit

Accept the packet.

tcp

Transmission Control Protocol.

udp

User Datagram Protocol.

A.B.C.D/M

Source or destination IP prefix and length.

A.B.C.D A.B.C.D

Source or destination IP address and mask.

host A.B.C.D

Source or destination host IP address.

any

Any source or destination IP address.

eq

Source or destination port equal to.

gt

Source or destination port greater than.

lt

Source or destination port less than.

neq

Source or destination port not equal to.

<0-65535>

Source or destination port number.

range

Range of source or destination port numbers:

<0-65535>

Lowest value in the range.

<0-65535>

Highest value in the range.

bgp

Border Gateway Protocol.

chargen

Character generator.

cmd

Remote commands.

daytime

Daytime.

discard

Discard.

domain

Domain Name Service.

drip

Dynamic Routing Information Protocol.

echo

Echo.

exec

EXEC.

finger

Finger.

ftp

File Transfer Protocol.

ftp-data

FTP data connections.

gopher

Gopher.

hostname

NIC hostname server.

ident

Ident Protocol.

irc

Internet Relay Chat.

klogin

Kerberos login.

kshell

Kerberos shell.

login

Login.

lpd

Printer service.

nntp

Network News Transport Protocol.

pim-auto-rp

PIM Auto-RP.

pop2

Post Office Protocol v2.

pop3

Post Office Protocol v3.

smtp

Simple Mail Transport Protocol.

ssh

Secure Shell.

sunrpc

Sun Remote Procedure Call.

tacacs

TAC Access Control System.

talk

Talk.

telnet

Telnet.

time

Time.

uucp

UNIX-to-UNIX Copy Program.

whois

WHOIS/NICNAME

www

World Wide Web.

netconf-ssh

Secure Shell Network Configuration

netconf-tls

Transport Layer Security Network Configuration

nntp

Range of source or destination port numbers:

dscp

Match packets with given DSCP value.

<0-63>

Enter DSCP value between 0-63.

af11

AF11 DSCP (001010) decimal value 10.

af12

AF12 DSCP (001100) decimal value 12.

af13

AF13 DSCP (001110) decimal value 14.

af21

AF21 DSCP (010010) decimal value 18.

af22

AF22 DSCP (010100) decimal value 20.

af23

AF23 DSCP (010110) decimal value 22.

af31

AF31 DSCP (011010) decimal value 26.

af32

AF32 DSCP (011100) decimal value 28.

af33

AF33 DSCP (011110) decimal value 30.

af41

AF41 DSCP (100010) decimal value 34.

af42

AF42 DSCP (100100) decimal value 36.

af43

AF43 DSCP (100110) decimal value 38.

cs1

CS1 (precedence 1) DSCP (001000) decimal value 8.

cs2

CS2 (precedence 2) DSCP (010000) decimal value 16.

cs3

CS3 (precedence 3) DSCP (011000) decimal value 24.

cs4

CS4 (precedence 4) DSCP (100000) decimal value 32.

cs5

CS5 (precedence 5) DSCP (101000) decimal value 40.

cs6

CS6 (precedence 6) DSCP (110000) decimal value 48.

cs7

CS7 (precedence 7) DSCP (111000) decimal value 56.

default

Default DSCP (000000) decimal value 0.

ef

EF DSCP (101110) decimal value 46.

precedence

Match packets with given precedence value.

<0-7>

Enter precedence value 0-7.

critical

Match packets with critical precedence (5).

flash

Match packets with flash precedence (3).

flashoverride

Match packets with flash override precedence (4).

immediate

Match packets with immediate precedence (2).

internet

Match packets with internetwork control precedence (6).

network

Match packets with network control precedence (7).

priority

Match packets with priority precedence (1).

routine

Match packets with routine precedence (0).

ack

Match on the Acknowledgment (ack) bit.

established

Matches only packets that belong to an established TCP connection.

fin

Match on the Finish (fin) bit.

psh

Match on the Push (psh) bit.

rst

Match on the Reset (rst) bit.

syn

Match on the Synchronize (syn) bit.

urg

Match on the Urgent (urg) bit.

biff

Biff.

bootpc

Bootstrap Protocol (BOOTP) client.

bootps

Bootstrap Protocol (BOOTP) server.

discard

Discard.

dnsix

DNSIX security protocol auditing.

domain

Domain Name Service.

echo

Echo.

isakmp

Internet Security Association and Key Management Protocol.

mobile-ip

Mobile IP registration.

nameserver

IEN116 name service.

netbios-dgm

Net BIOS datagram service.

netbios-ns

Net BIOS name service.

netbios-ss

Net BIOS session service.

non500-isakmp

Non500-Internet Security Association and Key Management Protocol.

ntp

Network Time Protocol.

pim-auto-rp

PIM Auto-RP.

rip

Routing Information Protocol.

snmp

Simple Network Management Protocol.

snmptrap

SNMP Traps.

sunrpc

Sun Remote Procedure Call.

syslog

System Logger.

tacacs

TAC Access Control System.

talk

Talk.

tftp

Trivial File Transfer Protocol.

time

Time.

who

Who service.

xdmcp

X Display Manager Control Protocol.

fragments

Check non-initial fragments.

vlan

Match packets with given vlan value.

<1-4094>

VLAN identifier.

inner-vlan

Match packets with given inner VLAN Identifier.

<1-4094>

VLAN identifier.

Default

None

Command Mode

IP access-list mode

Applicability

This command was introduced before OcNOS version 1.3.

Examples

Copy 
#configure terminal
(config)#ip access-list ip-acl-02
(config-ip-acl)#deny udp any any eq tftp
(config-ip-acl)#deny tcp any any eq ssh
(config-ip-acl)#end