534 BigIron RX Series Configuration Guide53-1001986-01Configuring numbered and named ACLs21Syntax: [no] ip access-group inThe options at the ACL configuration level and the syntax for the ip access-group command are thesame for numbered and named ACLs and are described in “Configuring extended numbered ACLs”on page 523.Configuring super ACLsThis section describes how to configure super ACLs with numeric IDs.• For configuration information on named ACLs, refer to “Configuring standard or extendednamed ACLs” on page 531.• For configuration information on extended ACLs, refer to “Configuring extended numberedACLs” on page 523.• Egress Super ACLs are not supported on the RX-BI=16XG (16 x 10 GE) modulesSuper ACLs can match on fields in a Layer 2 or Layer 4 packet header. You can configure up to 99super ACLs, using the number range 500 - 599. For the number of ACL entries supported on aBigIron RX, refer to “ACL IDs and entries” on page 517.Super ACL syntax is keyword-based. You specify the conditions to match as keyword-value pairs.Each keyword-value pair (called a “match-item”) specifies a field in the packet header (L2, L3 or L4)to be checked, and gives the allowable value for this field. Fields not specified are called “don’tcare” fields, and are considered to be matched. The match-items may be specified in any orderwith one exception: because of its variable length, tcp-flags must be specified as the last item in afilter. The complete syntax of super ACLs is described in the next section.NOTESuper ACLs are not supported on management interfaces or outbound ACLs on RX-BI-16XG (16 x 10GE) interfaces.Super ACL filtersSome super ACL filters are shown in the following examples.The following filter denies IPv4 TCP packets.BigIron RX(config)#access-list 500 deny ip-protocol tcpThe following filter denies any packet with a source MAC address of 0000.0000.0011 and a sourceIP address from 30.30.30.0 to 30.30.30.255.BigIron RX(config)#access-list 500 deny src-mac 0000.0000.0011ffff.ffff.ffff. sip 30.30.30.0/24The following filter denies any IPv4 packet passing through the interface.BigIron RX(config)#access-list 500 deny anySuper ACL syntaxSyntax: [no] access-list deny | permit |any |log |src-mac |dst-mac |