Edge Products ES3528-WDM User Manual

IP ACLs

23-7

23

• destination-bitmask – Destination address of rule must match this bitmask.
• precedence – Check the IP precedence field.
• tos – Check the TOS field.
• dscp – Check the DSCP field.
• source-port – Check the protocol source port field.
• destination-port – Check the protocol destination port field.
• port-bitmask – Protocol port of rule must match this bitmask.

(Range: 0-65535)

• control-flag – Check the field for control flags.
• flag-bitmask – Control flags of rule must match this bitmask. (Range: 0-63)

Default Setting

None

Command Mode

IP Mask

Command Usage

• Packets crossing a port are checked against all the rules in the ACL until a

match is found. The order in which these packets are checked is determined
by the mask, and not the order in which the ACL rules were entered.

• First create the required ACLs and ingress or egress masks before mapping

an ACL to an interface.

• If you enter dscp, you cannot enter tos or precedence. You can enter both

tos and precedence without dscp.

• Masks that include an entry for a Layer 4 protocol source port or destination

port can only be applied to packets with a header length of exactly five bytes.

Example
This example creates an IP ingress mask with two rules. Each rule is checked in
order of precedence to look for a match in the ACL entries. The first entry matching
a mask is applied to the inbound packet.

Console(config)#access-list ip mask-precedence in
Console(config-ip-mask-acl)#mask host any
Console(config-ip-mask-acl)#mask 255.255.255.0 any
Console(config-ip-mask-acl)#