Command:

access-list (IP extended)


Mode:

Router(config)#


Syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input]

no access-list access-list-number

Internet Control Message Protocol (ICMP)

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [log | log-input]

Internet Group Management Protocol (IGMP)

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log | log-input]

TCP

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [established] [precedence precedence] [tos tos] [log | log-input]

User Datagram Protocol (UDP)

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} udp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [precedence precedence] [tos tos] [log | log-input]


 

Caution Enhancements to this command are backward compatible. Migrating from releases prior to Release 11.1 will convert access lists automatically. However, releases prior to Release 11.1 are not upwardly compatible with these enhancements. Therefore, if an access list is saved with these images and then used on software prior to Release 11.1, the resulting access list will not be interpreted correctly. This could cause severe security problems. Save old configuration file before booting these images.

 


Syntax Description:

access-list-number

Number of an access list. This is a decimal number from 1 to 99 for IP standard, and 100 to 199 for IP extended, or from 1000 to 1099 for IP SAP.

dynamic dynamic-name

(Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide.

timeout minutes

(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

protocol

Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the keyword ip. Some protocols allow further qualifiers described below.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.
  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

 

source-wildcard

Wildcard bits to be applied to source. Each wildcard bit set to zero indicates that the corresponding bit position in the packet's ip address must exactly match the bit value in the corresponding bit position in the source. Each wildcard bit set to one indicates that both a zero bit and a one bit in the corresponding position of the packet's ip address will be considered a match to this access list entry.

There are three alternative ways to specify the source wildcard:

 

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions to be ignored. For example, 0.0.255.255 to require an exact match of only the first 16 bits of the source.
  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

 

Wildcard bits set to one do not need to be contiguous in the source-wildcard. For example, a source-wildcard of 0.255.0.64 would be valid.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

 

  • Use a 32-bit quantity in four-part, dotted-decimal format.
  • Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.
  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

 

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

 

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions to be ignored.
  • Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.
  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

 

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines."

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."

operator

(Optional) Compares source or destination ports. Possible operands include; lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the sourceand source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names are listed in the section "Usage Guidelines." UDP port names can only be used when filtering UDP.

TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only. Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

log-input

(Optional) Log matches against this entry, including input interface.

 


Command Description:

To define an extended IP access list, use the extended version of the access-list global configuration command. Access lists can be used to control the transmission of packets on an interface, control virtual terminal line access, and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.

Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match against the TCP source port, the type of service value, or the packet's precedence.


 

Note After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, access list command lines cannot be selectively added or removed from a specific access list.


The following is a list of precedence names:

 

 

The following is a list of type of service (TOS) names:

 

 

The following is a list of ICMP message type names and ICMP message type and code names:

 

 

The following is a list of IGMP message names:

 

 

The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.

 

 

The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.

 


Examples:

In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0, and the mail host's address is 128.88.1.2. The keyword established is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection.

Router(config)#access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established
Router(config)#access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
Router(config)#interface serial 0
Router(config-if)#ip access-group 102 in
 

The following example also permits Domain Naming System (DNS) packets and ICMP echo and echo reply packets:

Router(config)#access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established
Router(config)#access-list 102 permit tcp any host 128.88.1.2 eq smtp
Router(config)#access-list 102 permit tcp any any eq domain
Router(config)#access-list 102 permit udp any any eq domain
Router(config)#access-list 102 permit icmp any any echo
Router(config)#access-list 102 permit icmp any any echo-reply
 

The following examples show how wildcard bits are used to indicate the bits of the prefix or mask that are relevant. They are similar to the bitmasks that are used with normal access lists. Prefix/mask bits corresponding to wildcard bits set to 1 are ignored during comparisons and prefix/mask bits corresponding to wildcard bits set to 0 are used in comparison.

In the following example, permit 192.108.0.0 255.255.0.0 but deny any more specific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0).

Router(config)#access-list 101 permit ip 192.108.0.0  0.0.0.0   255.255.0.0  0.0.0.0
 
Router(config)#access-list 101 deny ip 192.108.0.0  0.0.255.255  255.255.0.0  0.0.255.255
 

In the following example, permit 131.108.0/24 but deny 131.108/16 and all other subnets of 131.108.0.0.

Router(config)#access-list 101 permit ip 131.108.0.0  0.0.0.0  255.255.255.0  0.0.0.0
Router(config)#access-list 101 deny ip 131.108.0.0  0.0.255.255  255.255.0.0  0.0.255.255


Misconceptions:

 

None


Related Commands:

 

access-list

 

access-list (IPX standard)

 

access-list (IPX extended)

 

ip access-group

 


� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)