ip access-list

ip access-list

Defines an IP access list by name and enters access-list configuration mode.

Syntax: [no] ip access-list {standard|extended} name

standard

Defines a standard access list.

extended

Defines an extended access list.

name

Name of this access list. Names may be up to 256 characters and may consist of any alpha-numeric characters, the underscore (_), and the hyphen (-). Case is significant.

Description: Access lists are filters that enable you to restrict the routing information a router learns from or advertises to a neighbor. Standard access lists create filters based on permit/deny, prefix, and prefix don't-care-bits. Extended access lists enable you to specify the type of protocol, network mask, and mask don't-care-bits as well as the elements that you can configure with a standard access list. Extended lists enable you to define range filters with masks and are more flexible for range matching. For further information on access-lists see the access-list command on page 4.

NOTE Only extended access-lists can be used to filter data traffic that traverses the fabric. Only standard access-lists are used for inbound and outbound server based filtering.

Access lists implicitly deny all access that is not expressly permitted. The following line is auto-appended to all access-lists:

deny ip any any

If it is desirable to over-ride this implicit denial statement, enter a permit ip any any statement as the last entry in the access-list.

All IP access lists can be named.

Use the ip access-list command to define a named access list. This command names the access list and changes the command mode to access-list configuration mode. This command is used for address based filtering in standard mode and packet based filtering in extended mode.

Enter the IP address and network mask for each system the access list controls. Use the permit and deny commands to specify whether that system is permitted access.

Once in access-list configuration mode, use the attributes listed in Table 5-1 to build configuration commands.

Table 5-1. Packet Attributes and Valid Values
Attribute Description

permit

Permits access of packet if conditions are matched.

deny

Denies access of packet if conditions are matched.

protocol

Name or number of an Internet protocol. Name keywords are: icmp, igmp, ip, ipinip (IP encap-
sulated in IP), ospf, pim, rsvp, tcp, or udp. Number entries are standard internet protocol numbers from 0 - 255. If a protocol is not specified, the entry applies to all protocols.

source

IP address of network or host sending the packet. The router compares routes being tested to this value. Specify the address using one of the following formats:

32-bit IP address in dotted decimal format.

keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255

keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0

The source attribute applies to all protocols

source-mask

Network mask applied to the source address. Specify as a 32-bit IP address in dotted decimal format. The source-mask attribute applies to all protocols.

destination

IP address of network or host to which the packet is being sent. Specify the address using one of the following formats:

32-bit IP address in dotted decimal format.

keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255

keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0

The destination attribute applies to all protocols.

destination-mask

Network mask applied to the destination address. Specify as a 32-bit IP address in dotted decimal format. The destination-mask attribute apples to all protocols.

operator

For udp and tcp packets only. Compares destination ports.

When used after the source IP address/source-mask, specifies a source port.

When used after the destination IP address/destination-mask, specifies a destination port.

Valid values are:

eq- specifies the port number is equal to the operand.

range- specifies an inclusive range of ports in the operand delineated by a space, i.e. ports 1 through 3 would be entered 1 3.

gt- Match packets with port number greater than this port.

operand

Specifies the destination port. Valid values are either a port number or a predefined port number keyword:

0 - 65535- port number

Predefined port number keywords for tcp are:

bgp- Border Gateway Protocol (179)

cmd- Remote command execution (rexec, 514)

domain- Domain Name Service (53)

echo- Echo (7)

exec- Exec (rsh, 512)

ftp- File Transfer Protocol (21)

ftp-data- FTP data connections (used infrequently, 20)

login- Login (rlogin, 513)

netbios-dgm- NETBIOS Datagram Service (138)

netbios-ns- NETBIOS Name Service (137)

nntp- Network News Transport Protocol (119)

smtp- Simple Mail Transport Protocol (25)

snmp- Simple Network Management Protocol (161)

snmptrap- Simple Network Management Protocol Traps (162)

sunrpc- Sun Remote Procedure Call (111)

syslog- Syslog (514)

tacacs- TACACS database service (65)

telnet- Telnet (23)

www- World Wide Protocol (80)

Predefined port number keywords for udp are:

bootpc- Server port for the bootp protocol

bootps- DNS packets

cmd- Remote command execution (rexec, 514)

domain- echo - UDP echo port

echo- echo (7)

netbios-dgm- NETBIOS Datagram Service (138)

netbios-ns- NETBIOS Name Service (137)

ntp- Network Time Protocol packets

nntp- Network News Transport Protocol (119)

rip- RIP routing protocol packets

smtp- Simple Mail Transport Protocol (25)

snmp- SNMP packets

snmptrap- Simple Network Management Protocol Traps (162)

sunrpc- Sun Remote Procedure Call (111)

syslog- Syslog (514)

tacacs- TACACS database service (65)

tftp- Trivial File Transfer Protocol (69)

icmpType, icmpCode

ICMP type and code as defined in RFC 792. For ICMP messages only

icmpMessage

ICMP message text. For ICMP messages only.

igmpType

IGMP message type. For IGMP messages only.

established

For tcp protocol only. Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The non-matching case is the initial TCP datagram to form a connection.

eq | gt

<0-65535> Port number

bgp- Border Gateway Protocol (179)

cmd- Remote command execution (rexec, 514)

domain- Domain Name Service (53)

echo- Echo (7)

exec- Exec (rsh, 512)

ftp- File Transfer Protocol (21)

ftp-data- FTP data connections (used infrequently, 20)

login- Login (rlogin, 513)

netbios-dgm- NETBIOS Datagram Service (138)

netbios-ns- NETBIOS Name Service (137)

nntp- Network News Transport Protocol (119)

smtp- Simple Mail Transport Protocol (25)

snmp- Simple Network Management Protocol (161)

snmptrap- Simple Network Management Protocol Traps (162)

sunrpc- Sun Remote Procedure Call (111)

syslog- Syslog (514)

tacacs- TACACS database service (65)

telnet- Telnet (23)

www- World Wide Protocol (80)

fragment

Match occurs on packet fragments (those packets with a non-zero offset in their IP header). This keyword can not be used if a port number is specified or if the established keyword is used.

tos range

IP TOS byte value or range between 0 - 255. For range, specify the low and high number delineated by a space.

The tos attribute is not used for the ICMP or IGMP protocols.

dscp range

An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:2. The parameters can be a range, a value from 0 - 63, or a predefined keyword. The following keywords and predefined values:

ef = 46

af11 = 10

af12 = 12

af13 = 14

af21 = 18

af22 = 20

af23 = 22

af31 = 26

af32 = 28

af33 = 30

af41 = 34

af42 = 36

af43 = 38

For range, specify the low and high number delineated by a space.

length range

The IP length field. The parameter can be either a single exact match value from 0 - 65535 or a range of values. For range, specify the low and high number delineated by a space. The 15 most significant bits are used for the access list length key.

log

Generate a syslog message when at least one match occurs within a 10 second interval. The log attribute can be used by all protocols.

precedence range

An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:5. The parameter can be a range, a value from 0 - 7, or a predefined keyword. The following keywords are supported:

critical-ecp = 0xa0

internet-control = 0xc0

network-control = 0xe0

flash = 0x60

flash-override = 0x80

immediate = 0x40

priority = 0x20

routine = 0x00

For range, specify the low and high number delineated by a space.

range

Specifies an inclusive range of ports in the operand delineated by a space, i.e. ports 1 through 3 would be entered 1 3. Valid Values <0-65535>

sample sample-name

Send a mirror copy of the packet to the configured interface mirror port. The sample attribute can be used by all protocols. The sample-name is any preconfigured sample using the sample command.

rate-limit rate-limit-name

Limits the rate of the received bandwidth to the configured rate. The rate-limit attribute can be used by all protocols. The rate-limit-name is any preconfigured rate-limit using the rate-limit command.

Use the [permit|deny] source source-mask syntax to create a standard address-based IP access list entry. Add entries to the list by repeating the command for different IP addresses.

Use the [permit|deny] source source-mask destination destination-mask syntax to create an extended address-based IP access list entry. Add entries to the list by repeating the command for different IP addresses.

Use the [permit|deny] ip source source-mask destination destination-mask [tos [range tos-range | tos-value | tos-keyword]] [length [range length-range | bytes]] [sample sample-tag-name] [log] [rate-limit bits-per-second] syntax to create an IP extended packet-based access list entry to filter any IP protocol packet, including ICMP, TCP, and UDP, based on their source, destination, protocol, destination port, connection state.

Use the [permit|deny] icmp source source-mask destination destination-mask [icmp-type [icmp-code] | icmp-message] [log] [sample sample-tag-name] [rate-limit ratelimit-tag-name] syntax to create an ICMP packet-based IP access list entry to filter any ICMP protocol packet, based on their source, destination, protocol, destination port, connection state.

Use the [permit|deny] igmp source source-mask destination destination-mask [igmp-type] [log] [sample sample-tag-name] [rate-limit ratelimit-tag-name] syntax to create an IGMP packet-based IP access list entry to filter any IGMP protocol packet, based on their source, destination, protocol, destination port, connection state.

Use the [permit|deny] tcp source source-mask [operator operand] destination destination-mask [operator operand] [established] [fragment] [log] [sample] [rate-limit] syntax to create a TCP protocol packet-based IP access list entry to filter individual packets based on their source, destination, protocol, destination port, connection state and fragmentation.

Use the [permit|deny] udp source source-mask [operator operand] destination destination-mask [operator operand] [tos [range tos-range | tos-value | tos-keyword]] [length [range length-range | bytes]] [sample sample-tag-name] [log] [rate-limit bits-per-second] [fragment] syntax to create a UDP protocol packet-based IP access list entry to filter individual packets based on their source, destination, protocol, destination port, connection state and fragmentation.

Use the route-map, neighbor distribute-list, and neighbor filter-list commands to apply address-based access lists to routes.

Use the ip access-group interface configuration command to apply packet-based access lists to an interface.

Use the no ip access list command to delete a named access list.

Note that a deny any any statement is automatically appended to all access lists.

Factory Default: No IP access lists defined.

Command Mode: Configuration.

Example 1: In the following example, the ip access-list, deny, and permit commands create a standard access list named ISP1_inbound that only allows hosts on the 2 specified networks:

router(config)#ip access-list standard ISP1_inbound

router(config-std-nacl)#permit 205.5.1.121 0.0.0.255

router(config-std-nacl)#permit 128.20.0.0 0.0.255.255

router(config-std-nacl)#exit

router(config)#

Example 2: In the following example:

An extended IP access-list is configured named src-filter set to deny packets from network 12.160/16 with a sample rate of 1 in 100 packets, and to sample packets from network 191/8.

All other packets are permitted without sampling.

IP access-list src-filter is associated with interface pos 1/14/1 for packets forwarded across the fabric.

An extended IP access-list is configured named forme and is configured with ACLs that deny telnet traffic from network 10.10/16.

The forme IP access-list is made the default inbound filter for messages intended for the server. In this case there is no implicit deny all filter at the end. The Avici default forme list is added to any user input.

router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#ip access-list extended src_filter

router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255 sample src-100-d

router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 sample src-100-p

router(config-ext-nacl)#permit ip any any

router(config-ext-nacl)#exit

router(config)#interface pos 1/14/1

router(config-if)#ip access-group src_filter in

router(config-if)#exit

router(config)#ip access-group extended forme

router(config-ext-nacl)#deny tcp 10.10.0.0 0.0.255.255 any eq telnet

router(config-ext-nacl)#deny tcp any eq telnet 10.10.0.0 0.0.255.255

router(config-ext-nacl)#exit

router(config)#ip default-access-group forme control-in

router(config)#end

router#

Related Commands: access-list
ip as-path access-list
ip community-list
show access-lists
show ip access-lists
neighbor distribute-list
neighbor filter-list

standard	Defines a standard access list.
extended	Defines an extended access list.
name	Name of this access list. Names may be up to 256 characters and may consist of any alpha-numeric characters, the underscore (_), and the hyphen (-). Case is significant.

**Table 5-1.** Packet Attributes and Valid Values
Attribute	Description
permit	Permits access of packet if conditions are matched.
deny	Denies access of packet if conditions are matched.
protocol	Name or number of an Internet protocol. Name keywords are: icmp, igmp, ip, ipinip (IP encap- sulated in IP), ospf, pim, rsvp, tcp, or udp. Number entries are standard internet protocol numbers from 0 - 255. If a protocol is not specified, the entry applies to all protocols.
source	IP address of network or host sending the packet. The router compares routes being tested to this value. Specify the address using one of the following formats: 32-bit IP address in dotted decimal format. keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255 keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0 The source attribute applies to all protocols
source-mask	Network mask applied to the source address. Specify as a 32-bit IP address in dotted decimal format. The source-mask attribute applies to all protocols.
destination	IP address of network or host to which the packet is being sent. Specify the address using one of the following formats: 32-bit IP address in dotted decimal format. keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255 keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0 The destination attribute applies to all protocols.
destination-mask	Network mask applied to the destination address. Specify as a 32-bit IP address in dotted decimal format. The destination-mask attribute apples to all protocols.
operator	For udp and tcp packets only. Compares destination ports. When used after the source IP address/source-mask, specifies a source port. When used after the destination IP address/destination-mask, specifies a destination port. Valid values are: eq- specifies the port number is equal to the operand. range- specifies an inclusive range of ports in the operand delineated by a space, i.e. ports 1 through 3 would be entered 1 3. gt- Match packets with port number greater than this port.
operand	Specifies the destination port. Valid values are either a port number or a predefined port number keyword: 0 - 65535- port number Predefined port number keywords for tcp are: bgp- Border Gateway Protocol (179) cmd- Remote command execution (rexec, 514) domain- Domain Name Service (53) echo- Echo (7) exec- Exec (rsh, 512) ftp- File Transfer Protocol (21) ftp-data- FTP data connections (used infrequently, 20) login- Login (rlogin, 513) netbios-dgm- NETBIOS Datagram Service (138) netbios-ns- NETBIOS Name Service (137) nntp- Network News Transport Protocol (119) smtp- Simple Mail Transport Protocol (25) snmp- Simple Network Management Protocol (161) snmptrap- Simple Network Management Protocol Traps (162) sunrpc- Sun Remote Procedure Call (111) syslog- Syslog (514) tacacs- TACACS database service (65) telnet- Telnet (23) www- World Wide Protocol (80) Predefined port number keywords for udp are: bootpc- Server port for the bootp protocol bootps- DNS packets cmd- Remote command execution (rexec, 514) domain- echo - UDP echo port echo- echo (7) netbios-dgm- NETBIOS Datagram Service (138) netbios-ns- NETBIOS Name Service (137) ntp- Network Time Protocol packets nntp- Network News Transport Protocol (119) rip- RIP routing protocol packets smtp- Simple Mail Transport Protocol (25) snmp- SNMP packets snmptrap- Simple Network Management Protocol Traps (162) sunrpc- Sun Remote Procedure Call (111) syslog- Syslog (514) tacacs- TACACS database service (65) tftp- Trivial File Transfer Protocol (69)
icmpType, icmpCode	ICMP type and code as defined in RFC 792. For ICMP messages only
icmpMessage	ICMP message text. For ICMP messages only.
igmpType	IGMP message type. For IGMP messages only.
established	For tcp protocol only. Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The non-matching case is the initial TCP datagram to form a connection.
eq \| gt	<0-65535> Port number bgp- Border Gateway Protocol (179) cmd- Remote command execution (rexec, 514) domain- Domain Name Service (53) echo- Echo (7) exec- Exec (rsh, 512) ftp- File Transfer Protocol (21) ftp-data- FTP data connections (used infrequently, 20) login- Login (rlogin, 513) netbios-dgm- NETBIOS Datagram Service (138) netbios-ns- NETBIOS Name Service (137) nntp- Network News Transport Protocol (119) smtp- Simple Mail Transport Protocol (25) snmp- Simple Network Management Protocol (161) snmptrap- Simple Network Management Protocol Traps (162) sunrpc- Sun Remote Procedure Call (111) syslog- Syslog (514) tacacs- TACACS database service (65) telnet- Telnet (23) www- World Wide Protocol (80)
fragment	Match occurs on packet fragments (those packets with a non-zero offset in their IP header). This keyword can not be used if a port number is specified or if the established keyword is used.
tos range	IP TOS byte value or range between 0 - 255. For range, specify the low and high number delineated by a space. The tos attribute is not used for the ICMP or IGMP protocols.
dscp range	An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:2. The parameters can be a range, a value from 0 - 63, or a predefined keyword. The following keywords and predefined values: ef = 46 af11 = 10 af12 = 12 af13 = 14 af21 = 18 af22 = 20 af23 = 22 af31 = 26 af32 = 28 af33 = 30 af41 = 34 af42 = 36 af43 = 38 For range, specify the low and high number delineated by a space.
length range	The IP length field. The parameter can be either a single exact match value from 0 - 65535 or a range of values. For range, specify the low and high number delineated by a space. The 15 most significant bits are used for the access list length key.
log	Generate a syslog message when at least one match occurs within a 10 second interval. The log attribute can be used by all protocols.
precedence range	An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:5. The parameter can be a range, a value from 0 - 7, or a predefined keyword. The following keywords are supported: critical-ecp = 0xa0 internet-control = 0xc0 network-control = 0xe0 flash = 0x60 flash-override = 0x80 immediate = 0x40 priority = 0x20 routine = 0x00 For range, specify the low and high number delineated by a space.
range	Specifies an inclusive range of ports in the operand delineated by a space, i.e. ports 1 through 3 would be entered 1 3. Valid Values <0-65535>
sample sample-name	Send a mirror copy of the packet to the configured interface mirror port. The sample attribute can be used by all protocols. The sample-name is any preconfigured sample using the sample command.
rate-limit rate-limit-name	Limits the rate of the received bandwidth to the configured rate. The rate-limit attribute can be used by all protocols. The rate-limit-name is any preconfigured rate-limit using the rate-limit command.

router(config)#ip access-list standard ISP1_inbound router(config-std-nacl)#permit 205.5.1.121 0.0.0.255 router(config-std-nacl)#permit 128.20.0.0 0.0.255.255 router(config-std-nacl)#exit router(config)#

router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#ip access-list extended src_filter router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255 sample src-100-d router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 sample src-100-p router(config-ext-nacl)#permit ip any any router(config-ext-nacl)#exit router(config)#interface pos 1/14/1 router(config-if)#ip access-group src_filter in router(config-if)#exit router(config)#ip access-group extended forme router(config-ext-nacl)#deny tcp 10.10.0.0 0.0.255.255 any eq telnet router(config-ext-nacl)#deny tcp any eq telnet 10.10.0.0 0.0.255.255 router(config-ext-nacl)#exit router(config)#ip default-access-group forme control-in router(config)#end router#

   Source File Name: Routing_Pol.fm
    HTML File Name: Routing_Pol7.html
    Last Updated: 05/10/04 at 16:38:37

ip access-list

Please email suggestions and comments to: doc@avici.com