Command:

deny (extended)


Mode:

Router(config-ext-nacl)#

Syntax:

deny protocol source source-wildcard [operator port] destination destination-wildcard [operator port][precedence precedence] [tos tos] [established] [log]

Syntax Description:
precedence

Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name. The IP precedence is the three leftmost bits in the TOS octet of an IP header (as defined in RFCs 1349, 1812, 2474 & 2873). This may be set using the route map or policy map command set ip precedence. 

tos Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name. The TOS Field is bits 3-6 in the TOS octet of IPv4 header [RFC 1349].
established For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
log Causes an informational logging message about the packet that matches the entry to be sent to the console.
 


Command Description:

In access-list configuration mode, specify the conditions allowed or denied. Use the log keyword to get access list logging messages, including violations.

Example:

The following example makes an entry into an IP named extended access list. This entry denies telnet traffic from a telnet client originating on host 172.19.99.67 TCP port 11005 from accessing the telnet server running on host 192.168.60.185. 

Router(config-ext-nacl)#deny tcp host 172.19.99.67 eq 11005 host 192.168.60.185 eq telnet 


Misconceptions:

None

Related Commands:
ip access-list (extended)
permit (extended)

 



� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)