BigIron RX Series Configuration Guide 52353-1001986-01Configuring numbered and named ACLs 21Parameters to bind standard ACLs to an interfaceUse the ip access-group command to bind the ACL to an inbound interface and enter the ACLnumber for .Configuring extended numbered ACLsThis section describes how to configure extended numbered ACLs.• For configuration information on named ACLs, refer to “Configuring numbered and namedACLs” on page 521.• For configuration information on standard ACLs, refer to “Configuring standard numberedACLs” on page 521.Extended ACLs let you permit or deny packets based on the following information:• IP protocol• Source IP address or host name• Destination IP address or host name• Source TCP or UDP port (if the IP protocol is TCP or UDP) Specifies the portion of the source IP host address to match against. The is a four-part value in dotted-decimal notation (IP address format) consisting of onesand zeros. Zeros in the mask mean the packet’s source address must match the. Ones mean any value matches. For example, the and values 209.157.22.26 0.0.0.255 mean that all hosts in the Class Csubnet 209.157.22.x match the policy.If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing(CIDR) format, you can enter a forward slash after the IP address, then enter thenumber of significant bits in the mask. For example, you can enter the CIDRequivalent of “209.157.22.26 0.0.0.255” as “209.157.22.26/24”. The CLIautomatically converts the CIDR number into the appropriate ACL mask (where zerosinstead of ones are the significant bits) and changes the non-significant portion ofthe IP address into zeros. For example, if you specify 209.157.22.26/24 or209.157.22.26 0.0.0.255, then save the changes to the startup-config file, thevalue appears as 209.157.22.0/24 (if you have enabled display of subnet lengths)or 209.157.22.0 0.0.0.255 in the startup-config file.If you enable the software to display IP subnet masks in CIDR format, the mask issaved in the file in “/” format. You can use the CIDR format to configurethe ACL entry regardless of whether the software is configured to display the masksin CIDR format.NOTE: If you use the CIDR format, the ACL entries appear in this format in therunning-config and startup-config files, but are shown with subnet mask inthe display produced by the show access-list command.host |Specify a host IP address or name. When you use this parameter, you do not need tospecify the mask. A mask of all zeros (0.0.0.0) is implied.any Use this parameter to configure the policy to match on all host addresses.log Configures the device to generate Syslog entries and SNMP traps for packets thatare denied by the access policy. If you use the log argument, the ACL entry is sent tothe CPU for processing. Refer to “ACL logging” on page 547 for more information.You can enable logging on ACLs that support logging even when the ACLs are alreadyin use. To do so, re-enter the ACL command and add the log parameter to the end ofthe ACL entry. The software replaces the ACL command with the new one. The newACL, with logging enabled, takes effect immediately.