Table of Contents
Advertisement
Parameters
Function
Specifies a DSCP
dscp dscp
priority
Logs matching
logging
packets
Specifies that the
reflective
rule be reflective
vpn-instance
Applies the rule to
vpn-instance-na
packets in a VPN
me
instance
Applies the rule to
fragment
only non-first
fragments
time-range
Specifies a time
time-range-nam
range for the rule
e
NOTE:
If you provide the precedence or tos keyword in addition to the dscp keyword, only the dscp keyword
takes effect.
If the protocol argument takes tcp (6) or udp (7), set the parameters shown in
Table 4 TCP/UDP-specific parameters for IPv4 advanced ACL rules
Parameters
Function
source-port
Specifies one or
operator port1
more UDP or TCP
[ port2 ]
source ports
destination-port
Specifies one or
operator port1
more UDP or TCP
[ port2 ]
destination ports
Description
The dscp argument can be a number in the range of 0 to 63, or in
words, af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23
(22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38),
cs1 (8), cs2 (16), cs3 (24), cs4 (32), cs5 (40), cs6 (48), cs7 (56),
default (0), or ef (46).
This function requires that the module that uses the ACL supports
logging.
A rule with the reflective keyword can be defined only for TCP, UDP,
or ICMP packets and can only be a permit statement.
The vpn-instance-name argument takes a case-sensitive string of 1 to
31 characters.
If no VPN instance is specified, the rule applies only to non-VPN
packets.
Without this keyword, the rule applies to all fragments and
non-fragments.
The time-range-name argument takes a case-insensitive string of 1 to
32 characters. It must start with an English letter. If the time range is not
configured, the system creates the rule; however, the rule using the
time range can take effect only after you configure the timer range.
Description
The operator argument can be lt (lower than), gt (greater than),
eq (equal to), neq (not equal to), or range (inclusive range).
The port1 and port2 arguments are TCP or UDP port numbers in
the range of 0 to 65535. port2 is needed only when the operator
argument is range.
TCP port numbers can be represented as: chargen (19), bgp
(179), cmd (514), daytime (13), discard (9), domain (53), echo
(7), exec (512), finger (79), ftp (21), ftp-data (20), gopher (70),
hostname (101), irc (194), klogin (543), kshell (544), login
(513), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp
(25), sunrpc (111), tacacs (49), talk (517), telnet (23), time (37),
uucp (540), whois (43), and www (80).
UDP port numbers can be represented as: biff (512), bootpc (68),
bootps (67), discard (9), dns (53), dnsix (90), echo (7),
mobilip-ag (434), mobilip-mn (435), nameserver (42),
netbios-dgm (138), netbios-ns (137), netbios-ssn (139), ntp
(123), rip (520), snmp (161), snmptrap (162), sunrpc (111),
syslog (514), tacacs-ds (65), talk (517), tftp (69), time (37), who
(513), and xdmcp (177).
9
Table
4.
Advertisement
Table of Contents
