deny (extended)




deny protocol source source-wildcard [operator port] destination destination-wildcard [operator port][precedence precedence] [tos tos] [established] [log]

Syntax Description:

Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name. The IP precedence is the three leftmost bits in the TOS octet of an IP header (as defined in RFCs 1349, 1812, 2474 & 2873). This may be set using the route map or policy map command set ip precedence. 

tos Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name. The TOS Field is bits 3-6 in the TOS octet of IPv4 header [RFC 1349].
established For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
log Causes an informational logging message about the packet that matches the entry to be sent to the console.

Command Description:

In access-list configuration mode, specify the conditions allowed or denied. Use the log keyword to get access list logging messages, including violations.


The following example makes an entry into an IP named extended access list. This entry denies telnet traffic from a telnet client originating on host TCP port 11005 from accessing the telnet server running on host 

Router(config-ext-nacl)#deny tcp host eq 11005 host eq telnet 



Related Commands:
ip access-list (extended)
permit (extended)


� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)