Command:

permit (extended)

 

Mode:

Router(config-ext-nacl)#

 

Syntax:

permit protocol source source-wildcard [operator port] destination destination-wildcard [operator port][precedence precedence] [tos tos] [established] [log]


no permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]

ICMP
permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log]

IGMP
permit igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log]

TCP
permit tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [established] [precedence precedence] [tos tos] [log]

UDP
permit udp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [precedence precedence] [tos tos] [log]

 

Syntax Description:

source

Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:

Use a 32-bit quantity in four-part, dotted-decimal format.

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

source-wildcard

(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions to be ignored. 

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

protocol

Name or number of an IP protocol. It can be one of the keywords ahp, eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pcp, pim, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.
  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions to be ignored. 
  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

  • Use a 32-bit quantity in four-part, dotted-decimal format.
  • Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.
  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions to be ignored.
  • Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.
  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name. The IP precedence is the three leftmost bits in the TOS octet of an IP header (as defined in RFCs 1349, 1812, 2474 & 2873). This may be set using the route map or policy map command set ip precedence. 

tos tos

Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name. The TOS Field is bits 3-6 in the TOS octet of IPv4 header [RFC 1349].

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255. The type is identified in the first byte of the ICMP datagram and are defined by rfc 792.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255. The code is identified in the second byte of the ICMP datagram and are defined by rfc 792.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name.

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message for a standard list includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets.

The message for an extended list includes the access list number; whether the packet was permitted or denied; the protocol; whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers.

For both standard and extended lists, the message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

 

Command Description:

To set conditions for a named IP access list, use the permit access-list configuration command. To remove a condition from an access list, use the no form of this command.


Example:

The following example makes an entry into an IP named extended access list. This entry permits telnet traffic from a telnet client originating on host 172.19.99.67 TCP port 11005 to access the telnet server running on host 192.168.60.185.  

Router(config)#ip access-list extended Internetfilter
Router(config-ext-nacl)#permit tcp host 172.19.99.67 eq 11005 host 192.168.60.185 eq telnet 

 


Misconceptions:

 

None


Related Commands:

 

ip access-list extended

 

deny (extended)

  


� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)