access-list

access-list

Defines an access list.

Syntax: [no] access-list list-name [permit|deny] protocol source source-mask [operator operand] destination destination-mask [proto-type] [operator operand] [established] [fragment] [sample tag-name] [tos range] [precedence range] [dscp range] [length range] [log] [rate-limit tag-name]

Attribute Description

permit

Permits access of packet if conditions are matched.

deny

Denies access of packet if conditions are matched.

protocol

Name or number of an Internet protocol. Name keywords are: icmp, igmp, ip, ospf, pim, tcp, or udp. Number entries are standard internet protocol numbers from 0 - 255. If a protocol is not specified, the entry applies to all protocols.

source

IP address of network or host sending the packet. The router compares routes being tested to this value. Specify the address using one of the following formats:

32-bit IP address in dotted decimal format.

keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255

keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0

The source attribute applies to all protocols

source-mask

Network mask applied to the source address. Specify as a 32-bit IP address in dotted decimal format. The source-mask attribute applies to all protocols.

destination

IP address of network or host to which the packet is being sent. Specify the address using one of the following formats:

32-bit IP address in dotted decimal format.

keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255

keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0

The destination attribute applies to all protocols.

destination-mask

Network mask applied to the destination address. Specify as a 32-bit IP address in dotted decimal format. The destination-mask attribute apples to all protocols.

operator

For udp and tcp packets only. Compares destination ports.

When used after the source IP address/source-mask, specifies a source port.

When used after the destination IP address/destination-mask, specifies a destination port.

Valid values are:

eq- specifies the port number is equal to the operand.

range- specifies an inclusive range of ports in the operand delineated by a space, i.e. ports 1 through 3 would be entered 1 3.

operand

Specifies the destination port. Valid values are either a port number or a predefined port number keyword: 0 - 65535- port number

Predefined port number keywords for tcp are:

bgp- Border Gateway Protocol (179)

cmd- Remote command execution (rexec, 514)

domain- Domain Name Service (53)

echo- Echo (7)

exec- Exec (rsh, 512)

ftp- File Transfer Protocol (21)

ftp-data- FTP data connections (used infrequently, 20)

login- Login (rlogin, 513)

netbios-dgm- NETBIOS Datagram Service (138)

netbios-ns- NETBIOS Name Service (137)

nntp- Network News Transport Protocol (119)

smtp- Simple Mail Transport Protocol (25)

snmp- Simple Network Management Protocol (161)

snmptrap- Simple Network Management Protocol Traps (162)

sunrpc- Sun Remote Procedure Call (111)

syslog- Syslog (514)

tacacs- TACACS database service (65)

telnet- Telnet (23)

www- World Wide Protocol (80)

operand (continued)

Predefined port number keywords for udp are:

bootpc- Server port for the bootp protocol

bootps- DNS packets

cmd- Remote command execution (rexec, 514)

domain- echo - UDP echo port

echo- echo (7)

netbios-dgm- NETBIOS Datagram Service (138)

netbios-ns- NETBIOS Name Service (137)

ntp- Network Time Protocol packets

nntp- Network News Transport Protocol (119)

rip- RIP routing protocol packets

smtp- Simple Mail Transport Protocol (25)

snmp- SNMP packets

snmptrap- Simple Network Management Protocol Traps (162)

sunrpc- Sun Remote Procedure Call (111)

syslog- Syslog (514)

tacacs- TACACS database service (65)

tftp- Trivial File Transfer Protocol (69)

proto-type

icmpType, icmpCode - ICMP type and code as defined in RFC 792. For ICMP messages only

icmpMessage - ICMP message text. For ICMP messages only.

igmpType - IGMP message type. For IGMP messages only.

established

For tcp protocol only. Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The non-matching case is the initial TCP datagram to form a connection.

fragment

Match occurs on packet fragments (those packets with a non-zero offset in their IP header). This keyword can not be used if a port number is specified or if the established keyword is used.

tos range

IP TOS byte value or range between 0 - 255. For range, specify the low and high number delineated by a space.

The tos attribute is not used for the ICMP or IGMP protocols.

precedence range

An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:5. The parameter can be a range, a value from 0 - 7, or a predefined keyword. The following keywords are supported:

critical-ecp = 0xa0

internet-control = 0xc0

network-control = 0xe0

flash = 0x60

flash-override = 0x80

immediate = 0x40

priority = 0x20

routine = 0x00

For range, specify the low and high number delineated by a space.

dscp range

An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:2. The parameters can be a range, a value from 0 - 63, or a predefined keyword. The following keywords and predefined values:

ef = 46

af11 = 10

af12 = 12

af13 = 14

af21 = 18

af22 = 20

af23 = 22

af31 = 26

af32 = 28

af33 = 30

af41 = 34

af42 = 36

af43 = 38

For range, specify the low and high number delineated by a space.

length range

The IP length field. The parameter can be either a single exact match value from 0 - 65535 or a range of values. For range, specify the low and high number delineated by a space. The 15 most significant bits are used for the access list length key.

log

Generate a syslog message when at least one match occurs within a 10 second interval. The log attribute can be used by all protocols.

sample sample-name

Send a mirror copy of the packet to the configured interface mirror port. The sample attribute can be used by all protocols. The sample-name is any preconfigured sample using the sample command.

rate-limit rate-limit-name

Limits the rate of the received bandwidth to the configured rate. The rate-limit attribute can be used by all protocols. The rate-limit-name is any preconfigured rate-limit using the rate-limit command.

Description: Access lists are filters that enable you to:

Restrict the routing information a router learns from or advertises to a neighbor.

Restrict inbound packets bound for either the server or fabric.

You can define access lists filters based on any of four elements:

address based access lists identify routes you want to control by network address number. Use the access-list or ip access-list commands to create an address-based access list.

as-path based access lists identify routes you want to control by autonomous system path. Use the ip as-path access-list command to create an autonomous system path based access list.

community-based access lists identify BGP routes you want to control by community. Use the ip community-list command to create a community-based access list.

packet based access lists identify packets by protocol entering a router bound for either the fabric or server, as well as server sourced packets that you want to control. Packets forwarded across the fabric must use the ip access-list command in extended mode.

Standard or Extended mode can be specified using the ip access-list command. Standard access lists create filters based on source addresses and are used for server based filtering. Extended access lists create filters based on source addresses, destination addresses, protocol, port number and other features and are used for packet based filtering for packets that traverse the fabric.

NOTE Only extended access-lists can be used to filter data traffic that traverses the fabric. Only standard access-lists are used for inbound and outbound server based filtering.

Multiple BGP peers or route maps can reference a single access list. You can apply access lists to both inbound and outbound traffic.

Each packet is passed through the access list. The rules in the access list are applied in the order in which they appear in the list. When a packet matches any rule, the decision to permit the packet through the filter or deny it is made, and no further rules are processed.

This means that the order of commands in your access list is very important. Make entries in your access lists in descending order of likelihood of finding a match. List entries with the greatest probability of being matched before entries with the smallest probability of being matched. This order reduces the time spent processing each packet as it is passed through an access list.

NOTE Internally, some code uses TCP sockets to communicate between tasks using the internal loopback address (127.0.0.1). Packet filtering behaves as though the following line was the first entry of every access-list:

permit ip host 127.0.0.1 host 127.0.0.1

Access lists implicitly deny all access that is not expressly permitted. The following line is auto-appended to all access-lists:

deny ip any any

If it is desirable to over-ride this implicit denial statement, enter a permit ip any any statement as the last entry in the access-list.

You cannot modify an existing access list in your configuration file. Instead, you must use the no option to delete the list and then retype the entire list. We recommend you keep your access lists in separate files, allowing you to cut and paste entries into your configuration file.

Use the access-list list-name [permit|deny] source source-mask syntax to create a standard address-based access list. Add entries to the list by repeating the command for different IP addresses.

Use the access-list list-name [permit|deny] source source-mask destination destination-mask syntax to create an extended address-based access list. Add entries to the list by repeating the command for different IP addresses.

Use the access-list list-name [permit|deny] ip source source-mask destination destination-mask [log] [sample] [rate-limit] syntax to create an IP extended packet-based access list to filter any IP protocol packet, including ICMP, TCP, and UDP, based on their source, destination, protocol, destination port, connection state.

Use the access-list list-name [permit|deny] icmp source source-mask destination destination-mask [proto-type] [log] [sample] [rate-limit] syntax to create an ICMP packet-based access list to filter any ICMP protocol packet, based on their source, destination, protocol, destination port, connection state.

Use the access-list list-name [permit|deny] igmp source source-mask destination destination-mask [proto-type] [log] [sample] [rate-limit] syntax to create an IGMP packet-based access list to filter any IGMP protocol packet, based on their source, destination, protocol, destination port, connection state.

Use the access-list list-name [permit|deny] tcp source source-mask [operator operand] destination destination-mask [operator operand] [established] [fragment] [log] [sample] [rate-limit] syntax to create a TCP protocol packet-based access list to filter individual packets based on their source, destination, protocol, destination port, connection state and fragmentation.

Use the access-list list-name [permit|deny] udp source source-mask [operator operand] destination destination-mask [operator operand] [fragment] [log] [sample] [rate-limit] syntax to create a UDP protocol packet-based access list to filter individual packets based on their source, destination, protocol, destination port, connection state and fragmentation.

Use the route-map, neighbor distribute-list, and neighbor filter-list commands to apply address-based access lists to routes.

Use the ip access-group interface configuration command to apply packet-based access lists to an interface.

Use the no access list syntax to delete an access list.

Factory Default: Deny statement for all options.

Command Mode: Configuration.

Example 1: In the following example, the 4 access-list commands create a standard access list named ISP4_access that allows access only for hosts on three specified networks:

router(config)#access-list ISP4_access permit 10.5.1.121 0.0.0.255

router(config)#access-list ISP4_access permit 128.20.0.0 0.0 255.255

router(config)#access-list ISP4_access permit 120.0.0.0 0.255.255.255

router(config)#

Only routes that match entries in the access list are permitted. Note the last line of the access list is a deny any statement to remind your reader that all other access is denied.

Example 2: In the following example, the access-list commands create an extended access list allowFTP to permit FTP command and control packets from all sources and destinations:

router(config)#access-list allowFTP permit tcp any any eq ftp

router(config)#access-list allowFTP permit tcp any any eq ftp-data

Example 3: In the following example, the access-list commands create an extended access list denySNMP to deny SNMP packets from all sources and destinations, but permit all other IP traffic:

router(config)#access-list denySNMP deny any any udp eq snmp

router(config)#access-list denySNMP permit ip any any

Example 4: In the following example:

A mirror port is configured to set the destination of interface pos 1/13/1 for any sampled packets received on the pos 1/14/1 interface.

Two sampling frequencies are configured and tag named src-100-d (deny) and src-100-p (permit) and set to 1 in 100 packets.

An extended IP access list is configured named src-filter.

to deny packets from network 12.160/16 with a sample rate of 1 in 100 packets.

to permit packets from network 191/8.

All other packets are permitted without sampling.

IP access-group src-filter is associated with interface pos 1/14/1 for in-bound traffic forwarded across the fabric.

An extended IP access-list is configured named forme and is configured with ACLs that deny telnet traffic from network 10.10/16.

The forme IP access-group is made the default inbound filter for messages intended for the server.

router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#interface pos 1/14/1

router(config-if)#mirror pos 1/13/1

router(config-if)#exit

router(config)#sample src-100-d 100

router(config)#sample src-100-p 100

router(config)#ip access-list extended src_filter

router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255 sample src-100-d

router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 sample src-100-p

router(config-ext-nacl)#permit ip any any

router(config-ext-nacl)#exit

router(config)#interface pos 1/14/1

router(config-if)#ip access-group src_filter control-in

router(config-if)#exit

router(config)#ip access-list extended forme

router(config-ext-nacl)#deny tcp 10.10.0.0 0.0.255.255 any eq telnet

router(config-ext-nacl)#deny tcp any eq telnet 10.10.0.0 0.0.255.255

router(config-ext-nacl)#exit

router(config)#ip default-access-group forme control-in

router(config)#end

router#

Related Commands: ip access-list
ip as-path access-list
ip community-list
mirror
rate-limit
sample
show access-lists
show ip access-lists
neighbor distribute-list
neighbor filter-list
ip access-group

Attribute	Description
permit	Permits access of packet if conditions are matched.
deny	Denies access of packet if conditions are matched.
protocol	Name or number of an Internet protocol. Name keywords are: icmp, igmp, ip, ospf, pim, tcp, or udp. Number entries are standard internet protocol numbers from 0 - 255. If a protocol is not specified, the entry applies to all protocols.
source	IP address of network or host sending the packet. The router compares routes being tested to this value. Specify the address using one of the following formats: 32-bit IP address in dotted decimal format. keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255 keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0 The source attribute applies to all protocols
source-mask	Network mask applied to the source address. Specify as a 32-bit IP address in dotted decimal format. The source-mask attribute applies to all protocols.
destination	IP address of network or host to which the packet is being sent. Specify the address using one of the following formats: 32-bit IP address in dotted decimal format. keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255 keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0 The destination attribute applies to all protocols.
destination-mask	Network mask applied to the destination address. Specify as a 32-bit IP address in dotted decimal format. The destination-mask attribute apples to all protocols.
operator	For udp and tcp packets only. Compares destination ports. When used after the source IP address/source-mask, specifies a source port. When used after the destination IP address/destination-mask, specifies a destination port. Valid values are: eq- specifies the port number is equal to the operand. range- specifies an inclusive range of ports in the operand delineated by a space, i.e. ports 1 through 3 would be entered 1 3.
operand	Specifies the destination port. Valid values are either a port number or a predefined port number keyword: 0 - 65535- port number Predefined port number keywords for tcp are: bgp- Border Gateway Protocol (179) cmd- Remote command execution (rexec, 514) domain- Domain Name Service (53) echo- Echo (7) exec- Exec (rsh, 512) ftp- File Transfer Protocol (21) ftp-data- FTP data connections (used infrequently, 20) login- Login (rlogin, 513) netbios-dgm- NETBIOS Datagram Service (138) netbios-ns- NETBIOS Name Service (137) nntp- Network News Transport Protocol (119) smtp- Simple Mail Transport Protocol (25) snmp- Simple Network Management Protocol (161) snmptrap- Simple Network Management Protocol Traps (162) sunrpc- Sun Remote Procedure Call (111) syslog- Syslog (514) tacacs- TACACS database service (65) telnet- Telnet (23) www- World Wide Protocol (80)
operand (continued)	Predefined port number keywords for udp are: bootpc- Server port for the bootp protocol bootps- DNS packets cmd- Remote command execution (rexec, 514) domain- echo - UDP echo port echo- echo (7) netbios-dgm- NETBIOS Datagram Service (138) netbios-ns- NETBIOS Name Service (137) ntp- Network Time Protocol packets nntp- Network News Transport Protocol (119) rip- RIP routing protocol packets smtp- Simple Mail Transport Protocol (25) snmp- SNMP packets snmptrap- Simple Network Management Protocol Traps (162) sunrpc- Sun Remote Procedure Call (111) syslog- Syslog (514) tacacs- TACACS database service (65) tftp- Trivial File Transfer Protocol (69)
proto-type	icmpType, icmpCode - ICMP type and code as defined in RFC 792. For ICMP messages only
	icmpMessage - ICMP message text. For ICMP messages only.
	igmpType - IGMP message type. For IGMP messages only.
established	For tcp protocol only. Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The non-matching case is the initial TCP datagram to form a connection.
fragment	Match occurs on packet fragments (those packets with a non-zero offset in their IP header). This keyword can not be used if a port number is specified or if the established keyword is used.
tos range	IP TOS byte value or range between 0 - 255. For range, specify the low and high number delineated by a space. The tos attribute is not used for the ICMP or IGMP protocols.
precedence range	An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:5. The parameter can be a range, a value from 0 - 7, or a predefined keyword. The following keywords are supported: critical-ecp = 0xa0 internet-control = 0xc0 network-control = 0xe0 flash = 0x60 flash-override = 0x80 immediate = 0x40 priority = 0x20 routine = 0x00 For range, specify the low and high number delineated by a space.
dscp range	An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:2. The parameters can be a range, a value from 0 - 63, or a predefined keyword. The following keywords and predefined values: ef = 46 af11 = 10 af12 = 12 af13 = 14 af21 = 18 af22 = 20 af23 = 22 af31 = 26 af32 = 28 af33 = 30 af41 = 34 af42 = 36 af43 = 38 For range, specify the low and high number delineated by a space.
length range	The IP length field. The parameter can be either a single exact match value from 0 - 65535 or a range of values. For range, specify the low and high number delineated by a space. The 15 most significant bits are used for the access list length key.
log	Generate a syslog message when at least one match occurs within a 10 second interval. The log attribute can be used by all protocols.
sample sample-name	Send a mirror copy of the packet to the configured interface mirror port. The sample attribute can be used by all protocols. The sample-name is any preconfigured sample using the sample command.
rate-limit rate-limit-name	Limits the rate of the received bandwidth to the configured rate. The rate-limit attribute can be used by all protocols. The rate-limit-name is any preconfigured rate-limit using the rate-limit command.

router(config)#access-list ISP4_access permit 10.5.1.121 0.0.0.255 router(config)#access-list ISP4_access permit 128.20.0.0 0.0 255.255 router(config)#access-list ISP4_access permit 120.0.0.0 0.255.255.255 router(config)#

router(config)#access-list allowFTP permit tcp any any eq ftp router(config)#access-list allowFTP permit tcp any any eq ftp-data

router(config)#access-list denySNMP deny any any udp eq snmp router(config)#access-list denySNMP permit ip any any

router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#interface pos 1/14/1 router(config-if)#mirror pos 1/13/1 router(config-if)#exit router(config)#sample src-100-d 100 router(config)#sample src-100-p 100 router(config)#ip access-list extended src_filter router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255 sample src-100-d router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 sample src-100-p router(config-ext-nacl)#permit ip any any router(config-ext-nacl)#exit router(config)#interface pos 1/14/1 router(config-if)#ip access-group src_filter control-in router(config-if)#exit router(config)#ip access-list extended forme router(config-ext-nacl)#deny tcp 10.10.0.0 0.0.255.255 any eq telnet router(config-ext-nacl)#deny tcp any eq telnet 10.10.0.0 0.0.255.255 router(config-ext-nacl)#exit router(config)#ip default-access-group forme control-in router(config)#end router#

   Source File Name: Routing_Pol.fm
    HTML File Name: Routing_Pol2.html
    Last Updated: 05/10/04 at 16:38:37

access-list

Please email suggestions and comments to: doc@avici.com