6.4.5. permit (IP)

Syntax

[sequence <1-2147483647>] permit (<0-255> | ipinip | egp | igp | hmp | rdp | ipv6 | ipv6:rout | ipv6:frag | rsvp | ipv6:icmp | ospf | pim | l2tp | ip) (A.B.C.D /A.B.C.D | any) (A.B.C.D / A.B.C.D | any) [(dscp|precedence) VALUE]

[sequence <1-2147483647>] permit icmp (A.B.C.D / A.B.C.D | any) (A.B.C.D /A.B.C.D | any) (<0-255> | echo-reply | destination-unreachable | source-quench | echo-request | router-advertisement | router-solicitation |time-exceeded | timestamp | timestamp-reply | traceroute |any) (<0-255> |any) [(dscp | precedence) VALUE]

no sequence <1-2147483647>

Parameter


<1 -2147483647>	(Optional) Specify sequence index of ACE, the sequence index represent the priority of an ACE in ACL.
(A.B.C.D/A.B.C.D \| any)	Specify the source IPv4 address and mask of packet or any IPv4 address.
(A.B.C.D/A.B.C.D \| any)	Specify the destination IPv4 address and mask of packet or any IPv4 address.
[dscp VALUE]	(Optional) Specify the DSCP of packet.
[precedence VLAUE]	(Optional) Specify the IP precedence of packet.
icmp-type	Specify ICMP message type for filtering ICMP packet. Enter a type name of list or a number of ICMP message type.
icmp-code	Specify ICMP message code for filtering ICMP packet.
l4-source-port	Specify TCP/UDP destination port of for filtering TCP/UDP packet. Enter a port name of list or a number of TCP/UDP port.
l4-dest ination-port	Specify TCP/UDP destination port of for filtering TCP/UDP packet. Enter a port name of list or a number of TCP/UDP port.
match-all	Specify tcp flag for TCP packet. If a flag should be set it is prefixed by”+”.If a flag should be unset it is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin,-urg, -ack, -psh, -rst, -syn and -fin.To define more than 1 flag - enter additional flags one after another without a space (example +syn-ack).

Default

No default is defined.

Mode

IP ACL Configuration

Usage

Use the permit command to add permit conditions for an IP ACE that bypasses those packets hit the ACE. The “sequence” also represents hit priority when ACL bind to an interface. An ACE not specifies “sequence” index would assign a sequence index which is the largest existed index plus 20.

If packet content can match more than one ACE, the lowest sequence ACE is hit. An ACE can not be added if has the same conditions as existed ACE.

Example

The example shows how to add a set of ACEs. You can verify settings by the following show acl command. This command shows how to permit a source IP address subnet.

Switch(ip-al)# permit ip 192.168.1.0/255.255.255.0

This command shows how to permit ICMP echo-request packet with any IP address.

Switch(ip-al)# permit icmp any any echo-request any

This command shows how to permit any IP address HTTP packets with DSCP 5.

Switch(ip-al)# permit tcp any any any www dscp 5

This command shows how to permit any source IP address SNMP packet connect to destination IP address 192.168.1.1.

Switch(ip-al)# permit udp any any 192.168.1.1/255.255.255.255 snmp
Switch(ip-al)# show acl
IP access list iptest
sequence 1 permit ip 192.168.1.0/255.255.255.0 any
sequence 21 permit icmp any any echo-request any
sequence 41 permit tcp any any any www dscp 5
sequence 61 permit udp any any 192.168.1.1/255.255.255.255 snmp

latest.20241015