Command:

access-list (IP)


Mode:

Router(config)#


Syntax:

IP standard access-list: access-list access-list-number {deny | permit | remark line} source[source-wildcard] [log]

IP extended access-list: access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit | remark line } protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input][time-range name]

no access-list access-list-number

TCP extended access-list: access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit | remark line } tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [established] [precedence precedence] [tos tos] [log | log-input] [time-range name]


Syntax Description:

access-list-number

Number of an access list. This is a decimal number from 1 to 99 for IP standard and 100 to 199 or from 2000 to 2699 for IP extended.

dynamic dynamic-name

(Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide.

timeout minutes

(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

protocol

It can be one of the keywords ahp, eigrp, esp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pcp, pim, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the keyword ip. Some protocols allow further qualifiers described below.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

         Use a 32-bit quantity in four-part, dotted-decimal format.

         Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

         Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to source. Each wildcard bit set to zero indicates that the corresponding bit position in the packet's ip address must exactly match the bit value in the corresponding bit position in the source. Each wildcard bit set to one indicates that both a zero bit and a one bit in the corresponding position of the packet's ip address will be considered a match to this access list entry.

There are three alternative ways to specify the source wildcard:

         Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions to be ignored. For example, 0.0.255.255 to require an exact match of only the first 16 bits of the source.

         Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

         Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

Wildcard bits set to one do not need to be contiguous in the source-wildcard. For example, a source-wildcard of 0.255.0.64 would be valid.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

         Use a 32-bit quantity in four-part, dotted-decimal format.

         Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.

         Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

         Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions to be ignored.

         Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.

         Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name. The IP precedence is the three leftmost bits in the TOS octet of an IP header (as defined in RFCs 1349, 1812, 2474 & 2873). This may be set using the route map or policy map command set ip precedence. The precedence names are shown in the Command Usage section.

tos tos

(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name. The TOS Field is bits 3-6 in the TOS octet of IPv4 header [RFC 1349].

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255. The type is identified in the first byte of the ICMP datagram and are defined by rfc 792.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255. The code is identified in the second byte of the ICMP datagram and are defined by rfc 792.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines."

igmp-type or igmp-message

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the sourceand source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names are listed in the section "Usage Guidelines." UDP port names can only be used when filtering UDP.

TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

log-input

(Optional) Includes the input interface and source MAC address or VC in the logging output.

 

Command Description:

 

To define an access-control list, use the access-list global configuration command. To remove a standard access lists, use the no form of this command. Plan the access conditions carefully and be aware of the implicit "deny all" statement at the end of the access list. Access lists can be used to control the transmission of packets on an interface, control virtual terminal line access, and restrict the contents of routing updates. 

Usage Guidelines

Note After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, access list command lines cannot be selectively added or removed from a specific access list.

The following is a list of precedence names:

critical
flash
flash-override
immediate
internet
network
priority
routine


The following is a list of type of service (TOS) names:

max-reliability
max-throughput
min-delay
min-monetary-cost
normal


The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.

bgp
chargen
daytime
discard
domain
echo
finger
ftp
ftp-data
gopher
hostname
irc
klogin
kshell
lpd
nntp
pop2
pop3
smtp
sunrpc
syslog
tacacs-ds
talk
telnet
time
uucp
whois
www

Example:

The following example creates standard IP access-list 1, which will permit all traffic from network 171.0.0.0:

Router(config)# access-list 1 permit 171.0.0.0 0.0.255.255

The following IP standard access control list command defines an entry in access list 1 that permits all IP traffic from host 192.168.4.2:

Router(config)# access-list 1 permit 192.168.4.2 0.0.0.0


Misconceptions:

 

None


Related Commands:

 

ip access-group

 


� Cisco Systems, Inc. 2001, 2002, 2003
World Wide Education

Converted from CHM to HTML with chm2web Pro 2.85 (unicode)