To define an extended IP access list, use the extended version of the
access-list command in global configuration mode . To remove the access lists, use the
no form of this command.
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence | dscp dscp | tos tos | time-range time-range-name | fragments | log [ word] | | log-input [ word] ]
no access-list access-list-number
Internet Control Message Protocol (ICMP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence | dscp dscp | tos tos | time-range time-range-name | fragments | log [ word] | | log-input [ word] ]
Internet Group Management Protocol (IGMP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence | dscp dscp | tos tos | time-range time-range-name | fragments | log [ word] | | log-input [ word] ]
Transmission Control Protocol (TCP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator [port] ] destination destination-wildcard [operator [port] ] [established] [precedence precedence | dscp dscp | tos tos | time-range time-range-name | fragments | log [ word] | | log-input [ word] ]
User Datagram Protocol (UDP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} udp source source-wildcard [operator [port] ] destination destination-wildcard [operator [port] ] [precedence precedence | dscp dscp | tos tos | time-range time-range-name | fragments | log [ word] | | log-input [ word] ]
Syntax Description
|
access-list-number
|
Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.
|
|
dynamic
dynamic-name
|
(Optional) Identifies this access list as a dynamic access list. Refer to lock-and- key access documented in the "Configuring
Lock-and-Key Security (Dynamic Access Lists)" chapter in the
Cisco IOS Security Configuration Guide .
|
|
timeout
minutes
|
(Optional) Specifies the absolute length of time, in minutes, that a temporary access list entry can remain in a dynamic
access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access
documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the
Cisco
IOS
Security
Configuration
Guide .
|
|
deny
|
Denies access if the conditions are matched.
|
|
permit
|
Permits access if the conditions are matched.
|
|
protocol
|
Name or number of an Internet protocol. It can be one of the keywords
eigrp ,
gre ,
icmp ,
igmp ,
ip ,
ipinip ,
nos ,
ospf ,
pim ,
tcp , or
udp , or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including
ICMP, TCP, and UDP) use the
ip keyword. Some protocols allow further qualifiers described below.
|
|
source
|
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
-
Use a 32-bit quantity in four-part dotted decimal format.
-
Use the
any keyword as an abbreviation for a
source and
source-wildcard of 0.0.0.0 255.255.255.255.
-
Use
host source as an abbreviation for a
source and
source-wildcard of source 0.0.0.0.
|
|
source-wildcard
|
Wildcard bits to be applied to source. Each wildcard bit 0 indicates the corresponding bit position in the source. Each wildcard
bit set to 1 indicates that both a 0 bit and a 1 bit in the corresponding position of the IP address of the packet will be
considered a match to this access list entry.
There are three alternative ways to specify the source wildcard:
-
Use a 32-bit quantity in four-part dotted decimal format. Place 1s in the bit positions you want to ignore.
-
Use the
any keyword as an abbreviation for a
source and
source-wildcard of 0.0.0.0 255.255.255.255.
-
Use
host
source as an abbreviation for a
source and
source-wildcard of
source 0.0.0.0.
Wildcard bits set to 1 need not be contiguous in the source wildcard. For example, a source wildcard of 0.255.0. would be
valid.
|
|
destination
|
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
-
Use a 32-bit quantity in four-part dotted decimal format.
-
Use the
any keyword as an abbreviation for the
destination and
destination-wildcard of 0.0.0.0 255.255.255.255.
-
Use
host
destination as an abbreviation for a
destination and
destination-wildcard of destination 0.0.0.0.
|
|
destination-wildcard
|
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
-
Use a 32-bit quantity in four-part dotted decimal format. Place 1s in the bit positions you want to ignore.
-
Use the
any keyword as an abbreviation for a
destination and
destination-wildcard of 0.0.0.0 255.255.255.255.
-
Use
host destination as an abbreviation for a
destination and
destination-wildcard of destination 0.0.0.0.
|
|
precedence
precedence
|
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7, or by name as listed in the
section "Usage Guidelines."
|
|
tos
tos
|
(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15, or by name as listed
in the section "Usage Guidelines."
|
|
dscp
|
Enter to match packets with the DSCP value specified by a number from 0 to 63, or use the question mark (?) to see a list
of available values.
|
|
time-range
time-range-name
|
(Optional) Name of the time range that applies to this statement. The name of the time range and its restrictions are specified
by the
time-range command.
|
|
icmp-type
|
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
|
|
icmp-code
|
(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is
a number from 0 to 255.
|
|
icmp-message
|
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names
are listed in the section "Usage Guidelines."
|
|
igmp-type
|
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP
message names are listed in the section "Usage Guidelines."
|
|
operator
|
(Optional) Compares source or destination ports. Possible operands include
lt (less than),
gt (greater than),
eq (equal),
neq (not equal), and
range (inclusive range).
If the operator is positioned after the
source and
source-wildcard , it must match the source port.
If the operator is positioned after the
destination and
destination-wildcard , it must match the destination port.
The
range operator requires two port numbers. All other operators require one port number.
|
|
port
|
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names
are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names can only
be used when filtering UDP.
TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
|
|
established
|
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK
or RST control bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
|
|
fragments
|
(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly.
For more details about the fragments keyword, see “Access List Processing of Fragments" and “Fragments and Policy Routing” in the Usage Guidelines section.
|
|
log
|
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The
level of messages logged to the console is controlled by the
logging
console command.)
The log message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was
TCP, UDP, ICMP, or a number; and if appropriate, the source and destination addresses and port numbers and the user-defined
cookie or router-generated hash value. The message is generated for the first packet that matches, and then at 5-minute intervals,
including the number of packets permitted or denied in the prior 5-minute interval.
The logging facility may drop some logging message packets if there are too many to be handled or if there is more than one
logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets.
Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an
access list.
After you specify the
log keyword (and the associated
word argument), you cannot specify any other keywords or settings for this command.
|
|
word
|
(Optional) User-defined cookie appended to the log message. The cookie:
-
cannot be more than characters
-
cannot start with hexadecimal notation (such as 0x)
-
cannot be the same as, or a subset of, the following keywords:
reflect ,
fragment ,
time-range
-
must contain alphanumeric characters only
The user-defined cookie is appended to the access control entry (ACE) syslog entry and uniquely identifies the ACE, within
the access control list, that generated the syslog entry.
|
|
log-input
|
(Optional) Includes the input interface and source MAC address or virtual circuit in the logging output.
After you specify the
log-input keyword (and the associated
word argument), you cannot specify any other keywords or settings for this command.
|
Command Default
An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny
statement.
Command Modes
Global configuration (config)
Command History
|
Release
|
Modification
|
|
10.0
|
This command was introduced.
|
|
10.3
|
The following keywords and arguments were added:
-
source
-
source-wildcard
-
destination
-
destination-wildcard
-
precedence
precedence
-
icmp-type
-
icmp-code
-
icmp-message
-
igmp-type
-
operator
-
port
-
established
|
|
11.1
|
The dynamic dynamic-name keyword and argument were added.
|
|
11.1
|
The timeout minutes keyword and argument were added.
|
|
11.2
|
The
log-input keyword was added.
|
|
12.0(1)T
|
The
time-range
time-range-name keyword and argument were added.
|
|
12.0(11)
|
The
fragments keyword was added.
|
|
12.2(13)T
|
The
non500-isakmp keyword was added to the list of UDP port names. The igrp keyword was removed because the IGRP protocol is no longer available
in Cisco IOS software.
|
|
12.4
|
The
drip keyword was added to specify the TCP port number used for OER communication.
|
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends
on your feature set, platform, and platform hardware.
|
|
12.4(22)T
|
The
word argument was added to the
log and
log-input keywords.
|
|
15.1(2)SNG
|
This command was integrated into the Cisco ASR 901 Series Aggregation Services Routers.
|
Usage Guidelines
You can use access lists to control the transmission of packets on an interface, control Virtual Terminal Line (VTY) access,
and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match
occurs.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended
access lists used to control VTY access or restrict the contents of routing updates must not match against the TCP source
port, the type of service (ToS) value, or the precedence of the packet.
Note
|
After a numbered access list is created, any subsequent additions (possibly entered from the terminal) are placed at the
end of the list. In other words, you cannot selectively add or remove access list command lines from a specific numbered access
list.
|
The following is a list of precedence names:
-
critical
-
flash
-
flash-override
-
immediate
-
internet
-
network
-
priority
-
routine
The following is a list of ToS names:
-
max-reliability
-
max-throughput
-
min-delay
-
min-monetary-cost
-
normal
The following is a list of ICMP message type and code names:
-
administratively-prohibited
-
alternate-address
-
conversion-error
-
dod-host-prohibited
-
dod-net-prohibited
-
echo
-
echo-reply
-
general-parameter-problem
-
host-isolated
-
host-precedence-unreachable
-
host-redirect
-
host-tos-redirect
-
host-tos-unreachable
-
host-unknown
-
host-unreachable
-
information-reply
-
information-request
-
mask-reply
-
mask-request
-
mobile-redirect
-
net-redirect
-
net-tos-redirect
-
net-tos-unreachable
-
net-unreachable
-
network-unknown
-
no-room-for-option
-
option-missing
-
packet-too-big
-
parameter-problem
-
port-unreachable
-
precedence-unreachable
-
protocol-unreachable
-
reassembly-timeout
-
redirect
-
router-advertisement
-
router-solicitation
-
source-quench
-
source-route-failed
-
time-exceeded
-
timestamp-reply
-
timestamp-request
-
traceroute
-
ttl-exceeded
-
unreachable
The following is a list of IGMP message names:
-
dvmrp
-
host-query
-
host-report
-
pim
-
trace
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current assigned numbers
RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a
? in the place of a port number.
-
bgp
-
chargen
-
daytime
-
discard
-
domain
-
drip
-
echo
-
finger
-
ftp
-
ftp-data
-
gopher
-
hostname
-
irc
-
klogin
-
kshell
-
lpd
-
nntp
-
pop2
-
pop3
-
smtp
-
sunrpc
-
syslog
-
tacacs-ds
-
talk
-
telnet
-
time
-
uucp
-
whois
-
www
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current assigned numbers
RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a
? in the place of a port number.
-
biff
-
bootpc
-
bootps
-
discard
-
dnsix
-
domain
-
echo
-
mobile-ip
-
nameserver
-
netbios-dgm
-
netbios-ns
-
non500-isakmp
-
ntp
-
rip
-
snmp
-
snmptrap
-
sunrpc
-
syslog
-
tacacs-ds
-
talk
-
tftp
-
time
-
who
-
xdmcp
Access List Processing of Fragments
The behavior of access-list entries regarding the use or lack of the
fragments keyword can be summarized as follows:
|
If the Access-List Entry has...
|
Then..
|
|
...no
fragments keyword (the default behavior), and assuming all of the access-list entry information matches,
|
For an access-list entry containing only Layer 3 information:
For an access list entry containing Layer 3 and Layer 4 information:
-
The entry is applied to nonfragmented packets and initial fragments.
- If the entry is a
permit statement, the packet or fragment is permitted.
- If the entry is a
deny statement, the packet or fragment is denied.
-
The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer
3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list
entry matches, and
- If the entry is a
permit statement, the noninitial fragment is permitted.
- If the entry is a
deny statement, the next access-list entry is processed.
|
Note
|
The
deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.
|
|
|
...the
fragments keyword, and assuming all of the access-list entry information matches,
|
The access-list entry is applied only to noninitial fragments.
|
Note
|
The
fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.
|
|
Be aware that you should not simply add the
fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated
independently of the subsequent fragments. An initial fragment will not match an access list
permit or
deny entry that contains the
fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access
list entry that does not contain the
fragments keyword. Therefore, you may need two access list entries for every
deny entry. The first
deny entry of the pair will not include the
fragments keyword, and applies to the initial fragment. The second
deny entry of the pair will include the
fragments keyword and applies to the subsequent fragments. In the cases where there are multiple
deny access list entries for the same host but with different Layer 4 ports, a single
deny access-list entry with the
fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by
the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list
accounting and access list violation counts.
Note
|
The
fragments keyword cannot solve all cases involving access lists and IP fragments.
|
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the
match
ip
addres s command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments
pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.
By using the
fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments
can be made and it is more likely policy routing will occur as intended.
Permitting Optimized Edge Routing (OER) Communication
The drip keyword was introduced under the tcp keyword to support
packet filtering in a network where OER is configured. The drip keyword specifies
port 3949 that OER uses for internal communication. This option allows you to build
a packet filter that permits communication between an OER primary controller and
border router(s). The drip keyword is entered following the TCP source, destination,
and the eq operator. See the example at the end of this
command reference page.
Examples
In the following example, serial interface 0 is part of a Class B network with the address 10.88.0.0, and the address of
the mail host is 10.88.1.2. Th e
established keyword is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the
ACK or RST bits set, which indicates that the packet belongs to an existing connection.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 10.88.0.0 0.0.255.255 established
access-list 102 permit tcp 0.0.0.0 255.255.255.255 10.88.1.2 0.0.0.0 eq 25
interface serial 0
ip access-group 102 in
The following example permits Domain Naming System (DNS) packets and ICMP echo and echo reply packets:
access-list 102 permit tcp any 10.88.0.0 0.0.255.255 established
access-list 102 permit tcp any host 10.88.1.2 eq smtp
access-list 102 permit tcp any any eq domain
access-list 102 permit udp any any eq domain
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
The following examples show how wildcard bits are used to indicate the bits of the prefix or mask that are relevant. Wildcard
bits are similar to the bitmasks that are used with normal access lists. Prefix or mask bits corresponding to wildcard bits
set to 1 are ignored during comparisons and prefix or mask bits corresponding to wildcard bits set to 0 are used in comparison.
The following example permits 192.168.0.0 255.255.0.0 but denies any more specific routes of 192.168.0.0 (including 192.168.0.0
255.255.255.0):
access-list 101 permit ip 192.168.0.0 0.0.0.0 255.255.0.0 0.0.0.0
access-list 101 deny ip 192.168.0.0 0.0.255.255 255.255.0.0 0.0.255.255
The following example permits 10.108.0/24 but denies 10.108/16 and all other subnets of 10.108.0.0:
access-list 101 permit ip 10.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0
access-list 101 deny ip 10.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255
The following example uses a time range to deny HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m.:
time-range no-http
periodic weekdays 8:00 to 18:00
!
access-list 101 deny tcp any any eq http time-range no-http
!
interface ethernet 0
ip access-group 101 in
The following example permits communication, from any TCP source and destination, between an
OER primary controller and border router:
access-list 100 permit tcp any eq drip any eq drip
The following example shows how to configure the access list with the
log keyword. It sets the
word argument to UserDefinedValue. The word UserDefinedValue is appended to the related syslog entry:
Router(config)# access-list 101 permit tcp host 10.1.1.1 host 10.1.1.2 log UserDefinedValue
This example shows how to create an ACL that permits IP traffic from any source to any destination that has the DSCP value
set to 32:
Router(config)# access-list 100 permit ip any any dscp 32
This example shows how to create an ACL that permits IP traffic from a source host at 10.1.1.1 to a destination host at 10.1.1.2
with a precedence value of 5:
Router(config)# access-list 100 permit ip host 10.1.1.1 host 10.1.1.2 precedence 5
Feedback