Adding Rules (ACEs) to an IPv4-Based ACL
To add rules (ACEs) to an IPv4-based ACL:
- Click Access Control > IPv4 Based ACE. The IPv4 Based ACE page opens.
- Select an ACL, and click Go. All currently-defined IP ACEs for the selected ACL are displayed.
- Click Add. The Add IPv4 Based ACE page opens.
- Enter the parameters.
- ACL Name--Displays the name of the ACL.
- Priority--Enter the priority. ACEs with higher priority are processed first.
- Action--Select the action assigned to the packet matching the ACE. The options are as follows:
- Protocol--Select to create an ACE based on a specific protocol or protocol ID. Select Any (IPv4) to accept all IP protocols. Otherwise select one of the following protocols from the drop-down list:
- ICMP--Internet Control Message Protocol
- IGMP--Internet Group Management Protocol
- IP in IP--IP in IP encapsulation
- TCP--Transmission Control Protocol
- EGP--Exterior Gateway Protocol
- IGP--Interior Gateway Protocol
- UDP--User Datagram Protocol
- HMP--Host Mapping Protocol
- RDP--Reliable Datagram Protocol.
- IDPR--Inter-Domain Policy Routing Protocol
- IPV6--IPv6 over IPv4 tunneling
- IPV6:ROUT--Matches packets belonging to the IPv6 over IPv4 route through a gateway
- IPV6:FRAG--Matches packets belonging to the IPv6 over IPv4 Fragment Header
- IDRP--Inter-Domain Routing Protocol
- RSVP--ReSerVation Protocol
- AH--Authentication Header
- IPV6:ICMP--Internet Control Message Protocol
- EIGRP--Enhanced Interior Gateway Routing Protocol
- OSPF--Open Shortest Path First
- IPIP--IP in IP
- PIM--Protocol Independent Multicast
- L2TP--Layer 2 Tunneling Protocol
- ISIS--IGP-specific protocol
- Protocol ID to Match--Instead of selecting the name, enter the protocol ID.
- Source IP Address--Select Any if all source address are acceptable or User defined to enter a source address or range of source addresses.
- Source IP Address Value--Enter the IP address to which the source IP address will be matched.
- Source IP Wildcard Mask--Enter the mask to define a range of IP addresses. Note that this mask is different than in other uses, such as subnet mask. Here, setting a bit as 1 indicates don't care and 0 indicates to mask that value.
- Destination IP Address--Select Any if all destination address are acceptable or User defined to enter a destination address or range of destination addresses.
- Destination IP Address Value--Enter the IP address to which the destination IP address will be matched.
- Destination IP Wildcard Mask--Enter the mask to define a range of IP addresses.
- Source Port--Select one of the following:
- Any--Match to all source ports.
- Single--Enter a single TCP/UDP source port to which packets are matched. This field is active only if 800/6-TCP or 800/17-UDP is selected in the Select from List drop-down menu.
- Range--Select a range of TCP/UDP source ports to which the packet is matched. There are eight different port ranges that can be configured (shared between source and destination ports). TCP and UDP protocols each have eight port ranges.
- Destination Port--Select one of the available values that are the same as for the Source Port field described above.
NOTE You must specify the IP protocol for the ACE before you can enter the source and/or destination port.
- TCP Flags--Select one or more TCP flags with which to filter packets. Filtered packets are either forwarded or dropped. Filtering packets by TCP flags increases packet control, which increases network security.
- Type of Service--The service type of the IP packet.
- Any--Any service type
- DSCP to Match--Differentiated Serves Code Point (DSCP) to match
- IP Precedence to Match--IP precedence is a model of TOS (type of service) that the network uses to help provide the appropriate QoS commitments. This model uses the 3 most significant bits of the service type byte in the IP header, as described in RFC 791 and RFC 1349.
- ICMP--If the IP protocol of the ACL is ICMP, select the ICMP message type used for filtering purposes. Either select the message type by name or enter the message type number:
- ICMP Code--The ICMP messages can have a code field that indicates how to handle the message. Select one of the following options to configure whether to filter on this code:
- IGMP--If the ACL is based on IGMP, select the IGMP message type to be used for filtering purposes. Either select the message type by name or enter the message type number:
- Click Apply. The IPv4-based ACE is defined, and the Running Configuration file is updated.