Онлайн-демонстрация
Связаться с нами
6.4.6. deny (IP)
Syntax
[sequence <1-2147483647>] deny (<0- 255> | ipinip | egp | igp | hmp | rdp | ipv6 | ipv6:rout | ipv6:frag | rsvp | ipv6:icmp | ospf | pim | l2tp | ip) (A.B.C.D / A.B.C.D | any) (A.B.C.D / A.B.C.D | any) [(dscp|precedence) VALUE]
[sequence <1-2147483647>] deny icmp (A.B.C.D / A.B.C.D | any) (A.B.C.D / A.B.C.D | any) (<0-255> | echo-reply | destination-unreachable | source-quench | echo-request | router-advertisement | router-solicitation | time- exceeded | timestamp |timestamp-reply | traceroute | any) (<0- 255> | any) [(dscp | precedence) VALUE]
[sequence <1-2147483647>] deny tcp (A.B.C.D / A.B.C.D | any) (<0-65535> | echo | discard | daytime | ftp-data | ftp | telnet | smtp | time | hostname | whois | tacacs-ds | domain | www | pop2 | pop3 | syslog | talk | klogin | kshell | sunrpc | drip | PORT_RANGE | any) (A.B.C.D / A.B.C.D | any) (<0-65535> | echo | discard | daytime | ftp-data | ftp | telnet | smtp | time | hostname | whois | tacacs-ds | domain | www | pop2 | pop3 | syslog | talk | klogin | kshell | sunrpc | drip | PORT_RANGE | any)[match-all TCP_FLAG] [(dscp|precedence) VALUE]
[sequence <1-2147483647>] deny udp (A.B.C.D / A.B.C.D | any) (<0-65535> | echo | discard | time | nameserver | tacacs-ds | domain | bootps | bootpc | tftp | sunrpc | ntp | netbios-ns | snmp | snmptrap | who | syslog | talk | rip | PORT_RANGE | any) (A.B.C.D / A.B.C.D | any) (<0-65535> | echo | discard | time | nameserver | tacacs-ds | domain | bootps | bootpc | tftp | sunrpc | ntp | netbios-ns | snmp | snmptrap | who | syslog | PORT_RANGE | any) [(dscp|precedence) VALUE]
no sequence <1-2147483647>
Parameter
<1 -2147483647 |
(Optional) Specify sequence index of ACE, the sequence index represent the priority of an ACE in ACL. |
(A.B.C.D/ A.B.C.D |
any) |
(A.B.C.D/ A.B.C.D |
any) |
[dscp VALUE] |
(Optional) Specify the DSCP of packet. |
[precedence VLAUE] |
(Optional) Specify the IP precedence of packet. |
icmp-type |
Specify ICMP message type for filtering ICMP packet. Enter a type name of list or a number of ICMP message type. |
icmp-code |
Specify ICMP message code for filtering ICMP packet. |
l4 -source-port |
Specify TCP/UDP destination port of for filtering TCP/UDP packet. Enter a port name of list or a number of TCP/UDP port. |
l4-dest ination-port |
Specify TCP/UDP destination port of for filtering TCP/UDP packet. Enter a port name of list or a number of TCP/UDP port. |
match-all |
Specify tcp flag for TCP packet. If a flag should be set it is prefixed by”+”.If a flag should be unset it is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin,-urg, -ack, -psh, -rst, -syn and -fin.To define more than 1 flag - enter additional flags one after another without a space (example +syn-ack). |
[shutdown] |
(Optional) Shutdown interface while ACE hit |
Default
No default is defined.
Mode
IP ACL Configuration
Usage
Use the deny command to add deny conditions for an IP ACE that drop
those packets hit the ACE. The “sequence” also represents hit priority
when ACL bind to an interface. An ACE not specifies “sequence”
index would assign a sequence index which is the largest existed index
plus 20. If packet content can match more than one ACE, the lowest
sequence ACE is hit. An ACE can not be added if has the same
conditions as existed ACE. Use “shutdown” to shutdown interface
while ACE hit.
Example
The example shows how to add an ACE that denies packets with source IP address 192.168.1.80. You can verify settings by the following show acl command
Switch(config)# ip acl iptest
Switch(ip-al)# deny ip 192.168.1.80/255.255.255.255 any
Switch(ip-al)# show acl
IP access list iptest
sequence 1 deny ip 192.168.1.80/255.255.255.255 any