80 ACL CommandsUser Guidelines• Use the ip access-list Global Configuration mode command to enable the IP-Access ListConfiguration mode.• Before an Access Control Element (ACE) is added to an ACL, all packets are permitted. After an ACEis added, an implied deny-any-any condition exists at the end of the list and those packets that do notmatch the defined conditions are denied.ExampleThe following example shows how to define a permit statement for an IP ACL.permit (MAC)The permit MAC-Access List Configuration mode command defines permit conditions of an MACACL.Syntax• permit {any | {host source source-wildcard} any | {destination destination-wildcard}} [vlan vlan-id][cos cos cos-wildcard] [ethtype eth-type] [inner-vlan vlan-id]• source — Specifies the source MAC address of the packet.• source-wildcard — Specifies wildcard bits to be applied to the source MAC address by placing 1s inbit positions to be ignored.• any — Specify a MAC address and mask. For example, to set 00:00:00:00:10:XX use the Macaddress 00:00:00:00:10:00 and mask 00:00:00:00:00:FF.• destination — Specifies the MAC address of the host to which the packet is being sent.• destination-wildcard — Specifies wildcard bits to be applied to the destination MAC address byplacing 1s in bit positions to be ignored.• vlan-id — Specifies the ID of the packet vlan. (Range: 1 - 4094)• cos — Specifies the Class of Service (CoS) for the packet. (Range: 0 - 7)• cos-wildcard — Specifies wildcard bits to be applied to the CoS.• eth-type — Specifies the Ethernet type of the packet in hexadecimal format. (Range: 0 - 05dd-ffff)• inner-vlan vlad-id — Specifies the inner vlan id of a double tagged packet.Console(config)# ip access-list ip-acl1Console(config-ip-al)# deny rsvp 192.1.1.1 0.0.0.255 any5400_CLI.book Page 80 Wednesday, December 17, 2008 4:33 PM