Home » Netgear Manuals » Hubs & Switches » Netgear FSM726v3 » Manual Viewer

Netgear FSM726v3 7200 managed switch v8.x CLI reference manual - Page 305

IP Extended ACL

Add to My Manuals
Save this manual to your list of manuals

Page 305 highlights

Managed Switch CLI Manual, Release 8.0 IP Extended ACL: Format Mode access-list {deny | permit} {every | {{icmp | igmp | ip | tcp | udp | } [{eq { | } [{eq {| }] [precedence | tos | dscp ] [log] [assign-queue ] [{mirror | redirect} ] Global Config Parameter Description or Range 1 to 99 is the access list number for an IP standard ACL. Range 100 to 199 is the access list number for an IP extended ACL. {deny | permit} Specifies whether the IP ACL rule permits or denies an action. every Match every packet {icmp | igmp | ip | tcp | udp Specifies the protocol to filter for an extended IP ACL rule. | } Specifies a source IP address and source netmask for match condition of the IP ACL rule. [{eq { | }] Specifies the source layer 4 port match condition for the IP ACL rule. You can use the port number, which ranges from 0-65535, or you specify the , which can be one of the following keywords: domain, echo, ftp, ftpdata, http, smtp, snmp, telnet, tftp, and www. Each of these keywords translates into its equivalent port number, which is used as both the start and end of a port range. Specifies a destination IP address and netmask for match condition of the IP ACL rule. [precedence | tos | dscp ] Specifies the TOS for an IP ACL rule depending on a match of precedence or DSCP values using the parameters dscp, precedence, tos/tosmask. [log] Specifies that this rule is to be logged. [assign-queue ] Specifies the assign-queue, which is the queue identifier to which packets matching this rule are assigned. [{mirror | redirect} ] Specifies the mirror or redirect interface which is the unit/slot/port to which packets matching this rule are copied or forwarded, respectively. The mirror and redirect parameters are not available on the GSM7328Sv1 and GSM7352Sv1 platforms. Quality of Service (QoS) Commands v1.0, July 2009 5-38

Section	Page
ProSafe 7200 Managed Switches CLI Manual, Software Version 8.0	1
Contents	5
About This Manual	9
Audience	9
About the Software	9
Scope	10
Product Concept	10
Conventions, Formats, and Scope	10
How to Print This Manual	12
Revision History	12
Chapter 1 Using the Command-Line Interface	13
Command Syntax	13
Command Conventions	14
Common Parameter Values	15
Unit/Slot/Port Naming Convention	15
Using the “No” Form of a Command	16
Managed Switch Modules	17
Command Modes	17
Command Completion and Abbreviation	21
CLI Error Messages	21
CLI Line-Editing Conventions	22
Using CLI Help	23
Accessing the CLI	24
Chapter 2 Stacking Commands	25
Dedicated Port Stacking	25
Front Panel Stacking Commands	34
Chapter 3 Switching Commands	37
Port Configuration Commands	38
Spanning Tree Protocol (STP) Commands	46
VLAN Commands	66
Double VLAN Commands	81
Voice VLAN Commands	83
Provisioning (IEEE 802.1p) Commands	86
Protected Ports Commands	87
Private Group Commands	89
GARP Commands	91
GVRP Commands	94
GMRP Commands	96
Port-Based Network Access Control Commands	99
Storm-Control Commands	113
Port-Channel/LAG (802.3ad) Commands	125
Port Mirroring	148
Static MAC Filtering	150
DHCP Snooping Configuration Commands	155
Dynamic ARP Inspection Commands	166
IGMP Snooping Configuration Commands	174
IGMP Snooping Querier Commands	183
Port Security Commands	189
LLDP (802.1AB) Commands	193
LLDP-MED Commands	204
Denial of Service Commands	215
MAC Database Commands	227
ISDP Commands	229
Chapter 4 Routing Commands	236
Address Resolution Protocol (ARP) Commands	236
IP Routing Commands	243
Router Discovery Protocol Commands	255
Virtual LAN Routing Commands	259
DHCP and BOOTP Relay Commands	260
IP Helper Commands	262
ICMP Throttling Commands	265
Chapter 5 Quality of Service (QoS) Commands	268
Class of Service (CoS) Commands	269
Differentiated Services (DiffServ) Commands	275
DiffServ Class Commands	277
DiffServ Policy Commands	286
DiffServ Service Commands	292
DiffServ Show Commands	293
MAC Access Control List (ACL) Commands	299
IP Access Control List (ACL) Commands	304
IPv6 Access Control List (ACL) Commands	311
Auto-Voice over IP Commands	315
Chapter 6 Utility Commands	318
Auto Install Commands	319
Dual Image Commands	321
System Information and Statistics Commands	323
Logging Commands	335
System Utility and Clear Commands	340
Simple Network Time Protocol (SNTP) Commands	350
DHCP Server Commands	356
DNS Client Commands	371
Packet Capture Commands	377
Serviceability Packet Tracing Commands	379
Cable Test Command	399
sFlow Commands	400
Chapter 7 Management Commands	406
Configuring the Switch Management CPU	407
Network Interface Commands	409
Console Port Access Commands	413
Telnet Commands	416
Secure Shell (SSH) Commands	421
Management Security Commands	424
Hypertext Transfer Protocol (HTTP) Commands	425
Access Commands	433
User Account Commands	434
SNMP Commands	445
RADIUS Commands	457
TACACS+ Commands	472
Configuration Scripting Commands	476
Pre-login Banner and System Prompt Commands	478
Chapter 8 Log Messages	480
Core	480
Utilities	483
Management	485
Switching	489
QoS	495
Routing/IPv6 Routing	496
Multicast	500
Stacking	502
Technologies	502
O/S Support	505
Chapter 9 Captive Portal Commands	507
Capitve Portal Global Commands	507
Captive Portal Configuration Commands	511
Captive Portal Status Commands	520
Captive Portal Client Connection Commands	525
Captive Portal Interface Commands	529
Captive Portal Local User Commands	530
Captive Portal User Group Commands	537
Chapter 10 Command List	539
{deny \| permit} (IP ACL) 5-40	539
{deny \| permit} (IPv6) 5-45	539
{deny \| permit} (MAC ACL) 5-34	539
aaa authentication dot1x 7-39	539
aaa authentication login 7-37	539
aaa authenticaton enable 7-38	539
access-list 5-37	539
acl-trapflags 5-42	539
addport 3-91	539
arp 4-2	539
arp access-list 3-134	539
arp cachesize 4-3	539
arp dynamicrenew 4-3	539
arp purge 4-4	539
arp resptime 4-4	539
arp retries 4-4	539
arp timeout 4-5	539
assign-queue 5-20	539
authentication timeout 9-3	539
authorization network radius 7-52	539
auto-negotiate 3-3	539
auto-negotiate all 3-4	539
auto-voip 5-49	539
auto-voip all 5-48	539
block 9-14	539
boot autoinstall auto-save 6-3	539
boot autoinstall retry-count 6-4	539
boot autoinstall start 6-3	539
boot autoinstall stop 6-3	539
boot system 6-5	539
bootfile 6-45	539
bootpdhcprelay cidoptmode 4-25	539
bootpdhcprelay maxhopcount 4-25	539
bootpdhcprelay minwaittime 4-26	539
bridge aging-time 3-191	540
cablestatus 6-83	540
captive-portal client deauthenticate 9-23	540
captive-portal 9-1	540
capture wrap 6-62	540
class 5-21	540
class-map 5-10	540
class-map rename 5-11	540
classofservice dot1p-mapping 5-2	540
classofservice ip-dscp-mapping 5-2	540
classofservice trust 5-3	540
clear arp-cache 4-5	540
clear arp-switch 4-6	540
clear captive-portal users 9-31	540
clear config 6-27	540
clear counters 6-27	540
clear dot1x statistics 3-63	540
clear host 6-59	540
clear igmpsnooping 6-28	540
clear ip arp inspection statistics 3-137	540
clear ip dhcp binding 6-51	540
clear ip dhcp conflict 6-51	540
clear ip dhcp server statistics 6-51	540
clear ip dhcp snooping binding 3-128	540
clear ip dhcp snooping statistics 3-128	540
clear ip route all 4-13	540
clear isdp counters 3-195	540
clear isdp table 3-195	540
clear lldp remote-data 3-162	540
clear lldp statistics 3-161	540
clear logging buffered 6-27	540
clear mac-addr-table 6-27	540
clear pass 6-28	540
clear port-channel 6-28	540
clear radius statistics 3-63	540
clear traplog 6-28	540
clear vlan 6-28	540
client-identifier 6-41	540
client-name 6-42	540
clock timezone 6-37	540
configuration 7-8	541
configuration (Captive Portal) 9-5	541
conform-color 5-21	541
copy 6-32	541
copy (pre-login banner) 7-73	541
cos-queue min-bandwidth 5-4	541
cos-queue strict 5-4	541
crypto certificate generate 7-19	541
crypto key generate dsa 7-20	541
crypto key generate rsa 7-20	541
debug arp 6-63	541
debug auto-voip 6-63	541
debug clear 6-64	541
debug console 6-64	541
debug dot1x packet 6-65	541
debug igmpsnooping packet 6-65	541
debug igmpsnooping packet receive 6-67	541
debug igmpsnooping packet transmit 6-66	541
debug ip acl 6-68	541
debug ip dvmrp packet 6-68	541
debug ip igmp packet 6-69	541
debug ip mcache packet 6-69	541
debug ip pimdm packet 6-70	541
debug ip pimsm packet 6-71	541
debug ip vrrp 6-71	541
debug ipv6 mcache packet 6-72	541
debug ipv6 mld packet 6-72	541
debug ipv6 pimdm packet 6-73	541
debug ipv6 pimsm packet 6-73	541
debug isdp packet 3-199	541
debug lacp packet 6-74	541
debug mldsnooping packet 6-74	541
debug ospf packet 6-75	541
debug ospfv3 packet 6-77	541
debug ping packet 6-78	541
debug rip packet 6-79	541
debug sflow packet 6-80	541
debug spanning-tree bpdu 6-80	541
debug spanning-tree bpdu receive 6-81	541
debug spanning-tree bpdu transmit 6-82	541
default-router 6-42	542
delete 6-4	542
deleteport (Global Config) 3-91	542
deleteport (Interface Config) 3-91	542
description 3-4	542
diffserv 5-9	542
disconnect 7-28	542
dns-server 6-43	542
domain-name 6-46	542
dos-control all 3-180	542
dos-control firstfrag 3-181	542
dos-control icmp 3-183	542
dos-control icmpfrag 3-189	542
dos-control icmpv4 3-188	542
dos-control icmpv6 3-189	542
dos-control l4port 3-182	542
dos-control sipdip 3-180	542
dos-control smacdmac 3-183	542
dos-control tcpfinurgpsh 3-187	542
dos-control tcpflag 3-182	542
dos-control tcpflagseq 3-185	542
dos-control tcpfrag 3-181	542
dos-control tcpoffset 3-186	542
dos-control tcpport 3-184	542
dos-control tcpsyn 3-186	542
dos-control tcpsynfin 3-187	542
dos-control udpport 3-184	542
dot1x guest-vlan 3-64	542
dot1x initialize 3-64	542
dot1x max-req 3-65	542
dot1x max-users 3-65	542
dot1x port-control 3-66	542
dot1x port-control all 3-66	542
dot1x re-authenticate 3-67	542
dot1x re-authentication 3-67	542
dot1x system-auth-control 3-68	542
dot1x timeout 3-68	542
dot1x unauthenticated-vlan 3-69	542
dot1x user 3-70	542
drop 5-20	542
dvlan-tunnel ethertype 3-45	543
enable (Privileged EXEC access) 7-4	543
enable authentication 7-10	543
enable password 6-29	543
enable 9-1	543
enable (Instance) 9-6	543
encapsulation 4-13	543
ezconfig 7-2	543
filedescr 6-5	543
group 9-8	543
hardware-address 6-43	543
hashing-mode 3-106	543
host 6-44	543
http port 9-2	543
https port 9-2	543
idle-timeout 9-12	543
interface 3-2	543
interface (Captive Portal) 9-13	543
interface lag 3-3	543
interface range 3-2	543
interface vlan 3-3	543
ip access-group 5-41	543
ip access-list 5-39	543
ip access-list rename 5-40	543
ip address 4-9	543
ip arp inspection filter 3-133	543
ip arp inspection limit 3-132	543
ip arp inspection trust 3-132	543
ip arp inspection validate 3-131	543
ip arp inspection vlan 3-130	543
ip arp inspection vlan logging 3-131	543
ip dhcp bootp automatic 6-50	543
ip dhcp conflict logging 6-50	543
ip dhcp excluded-address 6-48	543
ip dhcp ping packets 6-49	543
ip dhcp pool 6-41	543
ip dhcp snooping 3-119	543
ip dhcp snooping binding 3-121	543
ip dhcp snooping database 3-120	543
ip dhcp snooping database write-delay 3-121	543
ip dhcp snooping limit 3-122	544
ip dhcp snooping log-invalid 3-123	544
ip dhcp snooping trust 3-123	544
ip dhcp snooping verify mac-address 3-120	544
ip dhcp snooping vlan 3-119	544
ip domain list 6-56	544
ip domain lookup 6-55	544
ip domain name 6-56	544
ip domain retry 6-58	544
ip domain timeout 6-59	544
ip helper-address 4-28	544
ip helper-address (Global Config) 4-27	544
ip helper-address discard 4-29	544
ip host 6-57	544
ip http authentication 7-23	544
ip http java 7-22	544
ip http secure-port 7-26	544
ip http secure-protocol 7-27	544
ip http secure-server 7-21	544
ip http secure-session hard-timeout 7-25	544
ip http secure-session maxsessions 7-24	544
ip http secure-session soft-timeout 7-25	544
ip http server 7-21	544
ip http session hard-timeout 7-22	544
ip http session maxsessions 7-23	544
ip http session soft-timeout 7-24	544
ip https authentication 7-26	544
ip icmp echo-reply 4-31	544
ip icmp error-interval 4-31	544
ip igmpsnooping unknown-multicast 3-144	544
ip irdp 4-20	544
ip irdp address 4-21	544
ip irdp holdtime 4-21	544
ip irdp maxadvertinterval 4-22	544
ip irdp minadvertinterval 4-22	544
ip irdp preference 4-23	544
ip mtu 4-12	544
ip name server 6-57	544
ip netdirbcast 4-11	544
ip proxy-arp 4-2	544
ip redirects 4-30	545
ip route 4-9	545
ip route default 4-10	545
ip route distance 4-11	545
ip routing 4-8	545
ip ssh 7-16	545
ip ssh protocol 7-17	545
ip ssh server enable 7-17	545
ip telnet server enable 7-11	545
ip unreachables 4-30	545
ip verify binding 3-122	545
ip verify source 3-124	545
ipv6 access-list 5-44	545
ipv6 access-list rename 5-45	545
ipv6 host 6-58	545
ipv6 traffic-filter 5-46	545
isdp advertise-v2 3-194	545
isdp enable 3-195	545
isdp holdtime 3-194	545
isdp run 3-193	545
isdp timer 3-194	545
key 7-69	545
lacp actor admin 3-93	545
lacp actor admin key 3-93	545
lacp actor admin state individual 3-94	545
lacp actor admin state longtimeout 3-94	545
lacp actor admin state passive 3-95	545
lacp actor port priority 3-96	545
lacp actor system priority 3-96	545
lacp admin key 3-92	545
lacp collector max-delay 3-92	545
lacp partner admin key 3-97	545
lacp partner admin state individual 3-97	545
lacp partner admin state longtimeout 3-98	545
lacp partner admin state passive 3-99	545
lacp partner port id 3-99	545
lacp partner port priority 3-100	545
lacp partner system id 3-101	545
lacp partner system priority 3-101	545
lease 6-44	545
line 7-8	546
lldp med 3-168	546
lldp med all 3-170	546
lldp med confignotification 3-169	546
lldp med confignotification all 3-170	546
lldp med faststartrepeatcount 3-171	546
lldp med transmit-tlv 3-169	546
lldp med transmit-tlv all 3-171	546
lldp notification 3-160	546
lldp notification-interval 3-161	546
lldp receive 3-158	546
lldp timers 3-158	546
lldp transmit 3-158	546
lldp transmit-mgmt 3-160	546
lldp transmit-tlv 3-159	546
locale 9-13	546
logging buffered 6-18	546
logging buffered wrap 6-19	546
logging cli-command 6-19	546
logging console 6-20	546
logging host 6-20	546
logging host remove 6-21	546
logging persistent 6-24	546
logging syslog 6-21	546
login authentication 7-9	546
logout 6-29	546
mac access-group 5-35	546
mac access-list extended 5-33	546
mac access-list extended rename 5-33	546
macfilter 3-114	546
macfilter adddest 3-115	546
macfilter adddest all 3-116	546
macfilter addsrc 3-117	546
macfilter addsrc all 3-117	546
mark cos 5-22	546
mark ip-precedence 5-23	546
match any 5-12	546
match class-map 5-12	546
match cos 5-13	546
match destination-address mac 5-14	546
match dstip 5-14	547
match dstip6 5-15	547
match dstl4port 5-15	547
match ethertype 5-12	547
match ip dscp 5-15	547
match ip precedence 5-16	547
match ip tos 5-16	547
match ip6flowlbl 5-14	547
match protocol 5-17	547
match source-address mac 5-18	547
match srcip 5-18	547
match srcip6 5-18	547
match srcl4port 5-18	547
max-bandwidth-down 9-9	547
max-bandwidth-up 9-9	547
max-input-octets 9-10	547
max-output-octets 9-11	547
max-total-octets 9-11	547
member 2-2	547
mirror 5-20	547
mode dot1q-tunnel 3-45	547
mode dvlan-tunnel 3-46	547
monitor session 3-112	547
movemanagement 2-3	547
mtu 3-5	547
name 9-6	547
netbios-name-server 6-46	547
netbios-node-type 6-47	547
network (DHCP Pool Config) 6-45	547
network javamode 7-6	547
network mac-address 7-5	547
network mac-type 7-5	547
network mgmt_vlan 3-30	547
network parms 7-4	547
network protocol 7-5	547
next-server 6-47	547
no monitor 3-113	547
option 6-48	547
passwords aging 7-35	547
passwords history 7-35	547
passwords lock-out 7-36	548
passwords min-length 7-34	548
permit ip host mac host 3-134	548
ping 6-29	548
police-simple 5-23	548
policy-map 5-24	548
policy-map rename 5-25	548
port 7-69	548
port lacpmode 3-103	548
port lacpmode enable all 3-103	548
port lacptimeout (Global Config) 3-104	548
port lacptimeout (Interface Config) 3-104	548
port-channel 3-90	548
port-channel adminmode 3-105	548
port-channel linktrap 3-105	548
port-channel load-balance 3-106	548
port-channel name 3-108	548
port-channel static 3-102	548
port-channel system priority 3-108	548
port-security 3-154	548
port-security mac-address 3-155	548
port-security mac-address move 3-156	548
port-security max-dynamic 3-154	548
port-security max-static 3-155	548
priority 7-70	548
private-group name 3-54	548

Match case Limit results 1 per page

Managed Switch CLI Manual, Release 8.0

Quality of Service (QoS) Commands

5-38

v1.0, July 2009

IP Extended ACL:

Format

access-list

<100-199> {deny | permit} {every | {{icmp | igmp | ip |

tcp | udp | <number>} <srcip> <srcmask>[{eq {<portkey> | <0-65535>}

<dstip> <dstmask> [{eq {<portkey>| <0-65535>}] [precedence

<precedence> | tos <tos> <tosmask> | dscp <dscp>] [log] [assign-queue

<queue-id>] [{mirror | redirect} <unit/slot/port>]

Mode

Global Config

Parameter

Description

<1-99>

<100-199>

Range 1 to 99 is the access list number for an IP standard ACL.

Range 100 to 199 is the access list number for an IP extended ACL.

{deny | permit}

Specifies whether the IP ACL rule permits or denies an action.

every

Match every packet

{icmp | igmp | ip | tcp | udp

| <number>}

Specifies the protocol to filter for an extended IP ACL rule.

Specifies a source IP address and source netmask for match

condition of the IP ACL rule.

[{eq {<portkey> |

<0-65535>}]

Specifies the source layer 4 port match condition for the IP ACL rule.

You can use the port number, which ranges from 0-65535, or you

specify the

, which can be one of the following keywords:

domain, echo, ftp, ftpdata, http, smtp, snmp,

telnet, tftp

, and

www

. Each of these keywords translates into its

equivalent port number, which is used as both the start and end of a

port range.

Specifies a destination IP address and netmask for match condition

of the IP ACL rule.

[precedence <precedence> |

tos <tos> <tosmask> | dscp

<dscp>]

Specifies the TOS for an IP ACL rule depending on a match of

precedence or DSCP values using the parameters

dscp

precedence

tos/tosmask

[log]

Specifies that this rule is to be logged.

[assign-queue <queue-id>]

Specifies the assign-queue, which is the queue identifier to which

packets matching this rule are assigned.

[{mirror | redirect} <unit/

slot/port>]

Specifies the mirror or redirect interface which is the unit/slot/port to

which packets matching this rule are copied or forwarded,

respectively. The

mirror

and

redirect

parameters are not

available on the GSM7328Sv1 and GSM7352Sv1 platforms.