The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Access control lists (ACLs) perform packet filtering to control which packets move through the network and where. Such control provides security by helping to limit network traffic, restrict the access of users and devices to the network, and prevent traffic from leaving a network. IP access lists can reduce the chance of spoofing and denial-of-service attacks and allow dynamic, temporary user access through a firewall.
IP access lists can also be used for purposes other than security, such as bandwidth control, restricting the content of routing updates, redistributing routes, triggering dial-on-demand (DDR) calls, limiting debug output, and identifying or classifying traffic for quality of service (QoS) features. This module provides an overview of IP access lists.
This section lists the prerequisites for configuring network security with access control lists (ACLs).
On switches running the LAN base feature set, VLAN maps should be supported.
The following are restrictions for configuring network security with ACLs:
Not all commands that accept a numbered ACL accept a named ACL. ACLs for packet filters and route filters on interfaces can use a name.
A standard ACL and an extended ACL cannot have the same name.
Though visible in the command-line help strings, AppleTalk is not supported as a matching condition for the deny and permit MAC access-list configuration mode commands.
ACL wild card is not supported in downstream client policy.
The following restrictions apply to IPv4 ACLs to network interfaces:
When controlling access to an interface, you can use a named or numbered ACL.
If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch, the ACL only filters packets that are intended for the CPU, such as SNMP, Telnet, or web traffic.
You do not have to enable routing to apply ACLs to Layer 2 interfaces.
After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface. When you apply the MAC ACL, consider these guidelines:
You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface. The IP access list filters only IP packets, and the MAC access list filters non-IP packets.
A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one.
 Note |
The mac access-group interface configuration command is only valid when applied to a physical Layer 2 interface. You cannot use the command on EtherChannel port channels. |
This feature does not support dynamic, reflexive, or firewall access lists.
Information About Configuring IPv4 Access Control Lists
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs filter traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or VLANs. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists. One by one, it tests packets against the conditions in an access list. The first match decides whether the switch accepts or rejects the packets. Because the switch stops testing after the first match, the order of conditions in the list is critical. If no conditions match, the switch rejects the packet. If there are no restrictions, the switch forwards the packet; otherwise, the switch drops the packet. The switch can use ACLs on all packets it forwards, including packets bridged within a VLAN.
You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail traffic to be forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic, outbound traffic, or both.
This section describes IP ACLs.
An ACL is a sequential collection of permit and deny conditions. One by one, the switch tests packets against the conditions in an access list. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing after the first match, the order of the conditions is critical. If no conditions match, the switch denies the packet.
The software supports these types of ACLs or access lists for IPv4:
Standard IP access lists use source addresses for matching operations.
Extended IP access lists use source and destination addresses for matching operations and optional protocol-type information for finer granularity of control.
Configuring IPv4 ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers.
The following ACL-related features are not supported:
Non-IP protocol ACLs
IP accounting
Reflexive ACLs, URL Redirect ACLs and Dynamic ACLs are not supported.
ACL logging for port ACLs and VLAN maps
The number you use to denote your ACL shows the type of access list that you are creating.
This lists the access-list number and corresponding access list type and shows whether or not they are supported in the switch. The switch supports IPv4 standard and extended access lists, numbers 1 to 199 and 1300 to 2699.
|
Access List Number |
Type |
Supported |
|---|---|---|
|
1–99 |
IP standard access list |
Yes |
|
100–199 |
IP extended access list |
Yes |
|
200–299 |
Protocol type-code access list |
No |
|
300–399 |
DECnet access list |
No |
|
400–499 |
XNS standard access list |
No |
|
500–599 |
XNS extended access list |
No |
|
600–699 |
AppleTalk access list |
No |
|
700–799 |
48-bit MAC address access list |
No |
|
800–899 |
IPX standard access list |
No |
|
900–999 |
IPX extended access list |
No |
|
1000–1099 |
IPX SAP access list |
No |
|
1100–1199 |
Extended 48-bit MAC address access list |
No |
|
1200–1299 |
IPX summary address access list |
No |
|
1300–1999 |
IP standard access list (expanded range) |
Yes |
|
2000–2699 |
IP extended access list (expanded range) |
Yes |
In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs by using the supported numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list.
When creating an ACL, remember that, by default, the end of the ACL contains an implicit deny statement for all packets that it did not find a match for before reaching the end. With standard access lists, if you omit the mask from an associated IP host address ACL specification, 0.0.0.0 is assumed to be the mask.
The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don’t care mask of 0.0.0.0 are moved to the top of the list, above any entries with non-zero don’t care masks. Therefore, in show command output and in the configuration file, the ACEs do not necessarily appear in the order in which they were entered.
After creating a numbered standard IPv4 ACL, you can apply it to VLANs, to terminal lines, or to interfaces.
Although standard ACLs use only source addresses for matching, you can use extended ACL source and destination addresses for matching operations and optional protocol type information for finer granularity of control. When you are creating ACEs in numbered extended access lists, remember that after you create the ACL, any additions are placed at the end of the list. You cannot reorder the list or selectively add or remove ACEs from a numbered list.
The switch does not support dynamic or reflexive access lists. It also does not support filtering based on the type of service (ToS) minimize-monetary-cost bit.
Some protocols also have specific parameters and keywords that apply to that protocol.
You can define an extended TCP, UDP, ICMP, IGMP, or other IP ACL. The switch also supports these IP protocols:
Note |
ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered. |
These IP protocols are supported:
Authentication Header Protocol (ahp )
Encapsulation Security Payload (esp )
Enhanced Interior Gateway Routing Protocol (eigrp )
generic routing encapsulation (gre )
Internet Control Message Protocol (icmp )
Internet Group Management Protocol (igmp )
any Interior Protocol (ip )
IP in IP tunneling (ipinip )
KA9Q NOS-compatible IP over IP tunneling (nos )
Open Shortest Path First routing (ospf )
Payload Compression Protocol (pcp )
Protocol-Independent Multicast (pim )
Transmission Control Protocol (tcp )
User Datagram Protocol (udp )
You can identify IPv4 ACLs with an alphanumeric string (a name) rather than a number. You can use named ACLs to configure more IPv4 access lists in a router than if you were to use numbered access lists. If you identify your access list with a name rather than a number, the mode and command syntax are slightly different. However, not all commands that use IP access lists accept a named access list.
Note |
The name you give to a standard or extended ACL can also be a number in the supported range of access list numbers. That is, the name of a standard IP ACL can be 1 to 99 and . The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list. |
Consider these guidelines before configuring named ACLs:
Numbered ACLs are also available.
A standard ACL and an extended ACL cannot have the same name.
You can use standard or extended ACLs (named or numbered) in VLAN maps.
The Named ACL Support for Noncontiguous Ports on an Access Control Entry feature allows you to specify noncontiguous ports in a single access control entry, which greatly reduces the number of entries required in an access control list when several entries have the same source address, destination address, and protocol, but differ only in the ports.
This feature greatly reduces the number of access control entries (ACEs) required in an access control list to handle multiple entries for the same source address, destination address, and protocol. If you maintain large numbers of ACEs, use this feature to consolidate existing groups of access list entries wherever it is possible and when you create new access list entries. When you configure access list entries with noncontiguous ports, you will have fewer access list entries to maintain.
The ability to apply sequence numbers to IP access list entries simplifies access list changes. Prior to the IP Access List Entry Sequence Numbering feature, there was no way to specify the position of an entry within an access list. If a user wanted to insert an entry (statement) in the middle of an existing list, all of the entries after the desired position had to be removed, then the new entry was added, and then all the removed entries had to be reentered. This method was cumbersome and error prone.
This feature allows users to add sequence numbers to access list entries and resequence them. When a user adds a new entry, the user chooses the sequence number so that it is in a desired position in the access list. If necessary, entries currently in the access list can be resequenced to create room to insert the new entry.
For backward compatibility with previous releases, if entries with no sequence numbers are applied, the first entry is assigned a sequence number of 10, and successive entries are incremented by 10. The maximum sequence number is 2147483647. If the generated sequence number exceeds this maximum number, the following message is displayed:
Exceeded maximum sequence number.
If the user enters an entry without a sequence number, it is assigned a sequence number that is 10 greater than the last sequence number in that access list and is placed at the end of the list.
If the user enters an entry that matches an already existing entry (except for the sequence number), then no changes are made.
If the user enters a sequence number that is already present, the following error message is generated:
Duplicate sequence number.
If a new access list is entered from global configuration mode, then sequence numbers for that access list are generated automatically.
Distributed support is provided so that the sequence numbers of entries in the Route Processor (RP) and line card are in synchronization at all times.
Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the event that the system is reloaded, the configured sequence numbers revert to the default sequence starting number and increment. The function is provided for backward compatibility with software releases that do not support sequence numbering.
This feature works with named and numbered, standard and extended IP access lists.
You can use the remark keyword to include comments (remarks) about entries in any IP standard or extended ACL. The remarks make the ACL easier for you to understand and scan. Each remark line is limited to 100 characters.
The remark can go before or after a permit or deny statement. You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement. For example, it would be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements.
To include a comment for IP numbered standard or extended ACLs, use the access-list access-list number remark remark global configuration command. To remove the remark, use the no form of this command.
ip access-list extended telnetting
remark Do not allow host1 subnet to telnet out
deny tcp host 172.16.2.88 any eq telnet
ACL processing is performed in hardware. If the hardware reaches its capacity to store ACL configurations, all packets on that interface are dropped.
Note |
If an ACL configuration cannot be implemented in hardware due to an out-of-resource condition on a switch or stack member, then only the traffic in that VLAN arriving on that switch is affected. |
For router ACLs, other factors can cause packets to be sent to the CPU:
Using the log keyword
Generating ICMP unreachable messages
When traffic flows are both logged and forwarded, forwarding is done by hardware, but logging must be done by software. Because of the difference in packet handling capacity between hardware and software, if the sum of all flows being logged (both permitted flows and denied flows) is of great enough bandwidth, not all of the packets that are forwarded can be logged.
When you enter the show ip access-lists privileged EXEC command, the match count displayed does not account for packets that are access controlled in hardware. Use the show platform acl counters hardware privileged EXEC command to obtain some basic hardware ACL statistics for switched and routed packets.
Router ACLs function as follows:
The hardware controls permit and deny actions of standard and extended ACLs (input and output) for security access control.
If log has not been specified, the flows that match a deny statement in a security ACL are dropped by the hardware if ip unreachables is disabled. The flows matching a permit statement are switched in hardware.
Adding the log keyword to an ACE in a router ACL causes a copy of the packet to be sent to the CPU for logging only. If the ACE is a permit statement, the packet is still switched and routed in hardware.
You can selectively apply extended ACLs based on the time of day and the week by using the time-range global configuration command. First, define a time-range name and set the times and the dates or the days of the week in the time range. Then enter the time-range name when applying an ACL to set restrictions to the access list. You can use the time range to define when the permit or deny statements in the ACL are in effect, for example, during a specified time period or on specified days of the week. The time-range keyword and argument are referenced in the named and numbered extended ACL task tables.
These are some benefits of using time ranges:
You have more control over permitting or denying a user access to resources, such as an application (identified by an IP address/mask pair and a port number).
You can control logging messages. ACL entries can be set to log traffic only at certain times of the day. Therefore, you can simply deny access without needing to analyze many logs generated during peak hours.
Time-based access lists trigger CPU activity because the new configuration of the access list must be merged with other features and the combined configuration loaded into the hardware memory. For this reason, you should be careful not to have several access lists configured to take affect in close succession (within a small number of minutes of each other.)
Note |
The time range relies on the switch system clock; therefore, you need a reliable clock source. We recommend that you use Network Time Protocol (NTP) to synchronize the switch clock. |
When you apply the ip access-group interface configuration command to a Layer 3 interface (an SVI, a Layer 3 EtherChannel, or a routed port), the interface must have been configured with an IP address. Layer 3 access groups filter packets that are routed or are received by Layer 3 processes on the CPU. They do not affect packets bridged within a VLAN.
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch discards the packet.
For outbound ACLs, after receiving and routing a packet to a controlled interface, the switch checks the packet against the ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects the packet, the switch discards the packet.
By default, the input interface sends ICMP Unreachable messages whenever a packet is discarded, regardless of whether the packet was discarded because of an ACL on the input interface or because of an ACL on the output interface. ICMP Unreachables are normally limited to no more than one every one-half second per input interface, but this can be changed by using the ip icmp rate-limit unreachable global configuration command.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits all packets. Remember this behavior if you use undefined ACLs for network security.
With some protocols, you can apply up to two access lists to an interface: one inbound access list and one outbound access list. With other protocols, you apply only one access list that checks both inbound and outbound packets.
If the access list is inbound, when a device receives a packet, Cisco software checks the access list’s criteria statements for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software discards the packet.
If the access list is outbound, after receiving and routing a packet to the outbound interface, Cisco software checks the access list’s criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet is denied, the software discards the packet.
Note |
Access lists that are applied to interfaces on a device do not filter traffic that originates from that device. |
The figure above shows that Device 2 is a bypass device that is connected to Device 1 and Device 3. An outbound access list is applied to Gigabit Ethernet interface 0/0/0 on Device 1. When you ping Device 3 from Device 1, the access list does not check for packets going outbound because the traffic is locally generated.
The access list check is bypassed for locally generated packets, which are always outbound.
By default, an access list that is applied to an outbound interface for matching locally generated traffic will bypass the outbound access list check; but transit traffic is subjected to the outbound access list check.
Note |
The behavior described above applies to all single-CPU platforms that run Cisco software. |
Note |
ACL logging is only supported for RACL. |
Note |
Because routing is done in hardware and logging is done in software, if a large number of packets match a permit or deny ACE containing a log keyword, the software might not be able to match the hardware processing rate, and not all packets will be logged. |
The first packet that triggers the ACL causes a logging message right away, and subsequent packets are collected over 5-minute intervals before they appear or logged. The logging message includes the access list number, whether the packet was permitted or denied, the source IP address of the packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.
Note |
The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. |
Follow the procedure given below to use IP ACLs on the switch:
|
Step 1 |
Create an ACL by specifying an access list number or name and the access conditions. |
|
Step 2 |
Apply the ACL to interfaces or terminal lines. You can also apply standard and extended IP ACLs to VLAN maps. |
Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL:
| Command or Action | Purpose | |||
|---|---|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
||
|
Step 2 |
access-list access-list-number {deny | permit} source source-wildcard [log] Example: |
Defines a standard IPv4 access list by using a source address and wildcard. The access-list-number is a decimal number from 1 to 99 or 1300 to 1999. Enter deny or permit to specify whether to deny or permit access if conditions are matched. The source is the source address of the network or host from which the packet is being sent specified as:
(Optional) The source-wildcard applies wildcard bits to the source. (Optional) Enter log to cause an informational logging message about the packet that matches the entry to be sent to the console. (Optional) Enter smartlog to send copies of denied or permitted packets to a NetFlow collector.
|
||
|
Step 3 |
end Example: |
Returns to privileged EXEC mode. |
Follow the procedure given below to create a numbered extended ACL:
| Command or Action | Purpose | |||||||
|---|---|---|---|---|---|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
||||||
|
Step 2 |
access-list access-list-number 
{deny | permit} protocol 
source source-wildcard 
destination destination-wildcard [precedence precedence] [tos tos] [fragments] [log [log-input] [time-range time-range-name] [dscp dscp] Example: |
Defines an extended IPv4 access list and the access conditions. The access-list-number is a decimal number from 100 to 199 or 2000 to 2699. Enter deny or permit to specify whether to deny or permit the packet if conditions are matched. For protocol , enter the name or number of an P protocol: ahp , eigrp , esp , gre , icmp , igmp , igrp , ip , ipinip , nos , ospf , pcp , pim , tcp , or udp , or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip .
The source is the number of the network or host from which the packet is sent. The source-wildcard applies wildcard bits to the source. The destination is the network or host number to which the packet is sent. The destination-wildcard applies wildcard bits to the destination. Source, source-wildcard, destination, and destination-wildcard can be specified as:
The other keywords are optional and have these meanings:
|
||||||
|
Step 3 |
access-list access-list-number {deny | permit} tcp source source-wildcard [operator port] destination destination-wildcard [operator port] [established] [precedence precedence] [tos tos] [fragments] [log [log-input] [time-range time-range-name] [dscp dscp] [flag] Example: |
Defines an extended TCP access list and the access conditions. The parameters are the same as those described for an extended IPv4 ACL, with these exceptions: (Optional) Enter an operator and port to compare source (if positioned after source source-wildcard ) or destination (if positioned after destination destination-wildcard ) port. Possible operators include eq (equal), gt (greater than), lt (less than), neq (not equal), and range (inclusive range). Operators require a port number (range requires two port numbers separated by a space). Enter the port number as a decimal number (from 0 to 65535) or the name of a TCP port. Use only TCP port numbers or names when filtering TCP. The other optional keywords have these meanings:
|
||||||
|
Step 4 |
access-list access-list-number 
{deny | permit} udp 
source source-wildcard [operator port] destination destination-wildcard [operator port] [precedence precedence] [tos tos] [fragments] [log [log-input] [time-range time-range-name] [dscp dscp] Example: |
(Optional) Defines an extended UDP access list and the access conditions. The UDP parameters are the same as those described for TCP except that the [operator [port]] port number or name must be a UDP port number or name, and the flag and established keywords are not valid for UDP. |
||||||
|
Step 5 |
access-list access-list-number 
{deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [fragments] [time-range time-range-name] [dscp dscp] Example: |
Defines an extended ICMP access list and the access conditions. The ICMP parameters are the same as those described for most IP protocols in an extended IPv4 ACL, with the addition of the ICMP message type and code parameters. These optional keywords have these meanings:
|
||||||
|
Step 6 |
access-list access-list-number 
{deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [fragments] [log [log-input] [time-range time-range-name] [dscp dscp] Example: |
(Optional) Defines an extended IGMP access list and the access conditions. The IGMP parameters are the same as those described for most IP protocols in an extended IPv4 ACL, with this optional parameter. igmp-type—To match IGMP message type, enter a number from 0 to 15, or enter the message name: dvmrp , host-query , host-report , pim , or trace . |
||||||
|
Step 7 |
end Example: |
Returns to privileged EXEC mode. |
Follow the procedure given below to create a standard ACL using names:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password if prompted. |
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
ip access-list standard name Example: |
Defines a standard IPv4 access list using a name, and enter access-list configuration mode. The name can be a number from 1 to 99. |
|
Step 4 |
Use one of the following:
Example:or |
In access-list configuration mode, specify one or more conditions denied or permitted to decide if the packet is forwarded or dropped.
|
|
Step 5 |
end Example: |
Returns to privileged EXEC mode. |
|
Step 6 |
show running-config Example: |
Verifies your entries. |
|
Step 7 |
copy running-config startup-config Example: |
(Optional) Saves your entries in the configuration file. |
Follow the procedure given below to create an extended ACL using names:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password if prompted. |
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
ip access-list extended name Example: |
Defines an extended IPv4 access list using a name, and enter access-list configuration mode. The name can be a number from 100 to 199. |
|
Step 4 |
{deny | permit} protocol {source [source-wildcard] | host source | any} {destination [destination-wildcard] | host destination | any} [precedence precedence] [tos tos] [established] [log] [time-range time-range-name] Example: |
In access-list configuration mode, specify the conditions allowed or denied. Use the log keyword to get access list logging messages, including violations.
|
|
Step 5 |
end Example: |
Returns to privileged EXEC mode. |
|
Step 6 |
show running-config Example: |
Verifies your entries. |
|
Step 7 |
copy running-config startup-config Example: |
(Optional) Saves your entries in the configuration file. |
When you are creating extended ACLs, remember that, by default, the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end. For standard ACLs, if you omit the mask from an associated IP host address access list specification, 0.0.0.0 is assumed to be the mask.
After you create an ACL, any additions are placed at the end of the list. You cannot selectively add ACL entries to a specific ACL. However, you can use no permit and no deny access-list configuration mode commands to remove entries from a named ACL.
Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered ACLs.
After creating a named ACL, you can apply it to interfaces or to VLANs.
Perform this task to create access list entries that use noncontiguous TCP or UDP port numbers. Although this task uses TCP ports, you could use the UDP syntax of the permit and deny commands to filter noncontiguous UDP ports.
Although this task uses a permit command first, use the permit and deny commands in the order that achieves your filtering goals.
Note |
The ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry feature can be used only with named, extended ACLs. |
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
ip access-list extended access-list-name Example: |
Specifies the IP access list by name and enters named access list configuration mode. |
|
Step 4 |
[sequence-number ] permit tcp source source-wildcard [operator port [port ]] destination destination-wildcard [operator [port ]] [established {match-any | match-all } {+ | - } flag-name ] [precedence precedence ] [tos tos ] [log ] [time-range time-range-name ] [fragments ] Example: |
Specifies a permit statement in named IP access list configuration mode.
|
|
Step 5 |
[sequence-number ] deny tcp source source-wildcard [operator port [port ]] destination destination-wildcard [operator [port ]] [established {match-any | match-all } {+ | - } flag-name ] [precedence precedence ] [tos tos ] [log ] [time-range time-range-name ] [fragments ] Example: |
(Optional) Specifies a deny statement in named access list configuration mode.
|
|
Step 6 |
Repeat Step 4 or Step 5 as necessary, adding statements by sequence number where you planned. Use the no sequence-number command to delete an entry. |
Allows you to revise the access list. |
|
Step 7 |
end Example: |
(Optional) Exits named access list configuration mode and returns to privileged EXEC mode. |
|
Step 8 |
show ip access-lists access-list-name Example: |
(Optional) Displays the contents of the access list. |
Perform this task to consolidate a group of access list entries with noncontiguous ports into one access list entry.
Although this task uses TCP ports, you could use the UDP syntax of the permit and deny commands to filter noncontiguous UDP ports.
Although this task uses a permit command first, use the permit and deny commands in the order that achieves your filtering goals.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
show ip access-lists access-list-name Example: |
(Optional) Displays the contents of the IP access list.
|
|
Step 3 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 4 |
ip access-list extended access-list-name Example: |
Specifies the IP access list by name and enters named access list configuration mode. |
|
Step 5 |
no [sequence-number ] permit protocol source source-wildcard destination destination-wildcard [option option-name ] [precedence precedence ] [tos tos ] [log ] [time-range time-range-name ] [fragments ] Example: |
Removes the redundant access list entry that can be consolidated.
|
|
Step 6 |
[sequence-number ] permit protocol source source-wildcard [operator port [port ]] destination destination-wildcard [operator port [port ]] [option option-name ] [precedence precedence ] [tos tos ] [log ] [time-range time-range-name ] [fragments ] Example: |
Specifies a permit statement in named access list configuration mode.
|
|
Step 7 |
Repeat Steps 5 and 6 as necessary, adding permit or deny statements to consolidate access list entries where possible. Use the no sequence-number command to delete an entry. |
Allows you to revise the access list. |
|
Step 8 |
end Example: |
(Optional) Exits named access list configuration mode and returns to privileged EXEC mode. |
|
Step 9 |
show ip access-lists access-list-name Example: |
(Optional) Displays the contents of the access list. |
This task shows how to assign sequence numbers to entries in a named IP access list and how to add or delete an entry to or from an access list. When completing this task, keep the following points in mind:
Resequencing the access list entries is optional. The resequencing step in this task is shown as required because that is one purpose of this feature and this task demonstrates that functionality.
In the following procedure, the permit command is shown in Step 5 and the deny command is shown in Step 6. However, that order can be reversed. Use the order that suits the need of your configuration.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password if prompted. |
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
ip access-list resequence access-list-name starting-sequence-number increment Example: |
Resequences the specified IP access list using the starting sequence number and the increment of sequence numbers. |
|
Step 4 |
ip access-list {standard | extended } access-list-name Example: |
Specifies the IP access list by name and enters named access list configuration mode.
|
|
Step 5 |
Do one of the following:
Example: |
Specifies a permit statement in named IP access list mode.
|
|
Step 6 |
Do one of the following:
Example: |
(Optional) Specifies a deny statement in named IP access list mode.
|
|
Step 7 |
Do one of the following:
Example: |
Specifies a permit statement in named IP access list mode.
|
|
Step 8 |
Do one of the following:
Example: |
(Optional) Specifies a deny statement in named IP access list mode.
|
|
Step 9 |
Repeat Step 5 and/or Step 6 to add sequence number statements, as applicable. |
Allows you to revise the access list. |
|
Step 10 |
end Example: |
(Optional) Exits the configuration mode and returns to privileged EXEC mode. |
|
Step 11 |
show ip access-lists access-list-name Example: |
(Optional) Displays the contents of the IP access list. |
Review the output of the show ip access-lists command to see that the access list includes the new entries:
Device# show ip access-lists kmd1
Standard IP access list kmd1
100 permit 10.4.4.0, wildcard bits 0.0.0.255
105 permit 10.5.5.0, wildcard bits 0.0.0.255
115 permit 10.0.0.0, wildcard bits 0.0.0.255
130 permit 10.5.5.0, wildcard bits 0.0.0.255
145 permit 10.0.0.0, wildcard bits 0.0.0.255Either use a named or numbered access list configuration. You must apply the access list to an interface or terminal line after the access list is created for the configuration to work.
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
|
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
ip access-list {standard | extended} {name | number} Example: |
Identifies the access list by a name or number and enters extended named access list configuration mode. |
|
Step 4 |
remark remark Example: |
|
|
Step 5 |
deny protocol host host-address any eq port Example: |
Sets conditions in a named IP access list that denies packets. |
|
Step 6 |
end Example: |
Exits extended named access list configuration mode and enters privileged EXEC mode. |
Follow these steps to configure a time-range parameter for an ACL:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password if prompted. |
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
time-range time-range-name Example: |
Assigns a meaningful name (for example, workhours) to the time range to be created, and enter time-range configuration mode. The name cannot contain a space or quotation mark and must begin with a letter. |
|
Step 4 |
Use one of the following:
Example:or |
Specifies when the function it will be applied to is operational.
See the example configurations. |
|
Step 5 |
end Example: |
Returns to privileged EXEC mode. |
|
Step 6 |
show running-config Example: |
Verifies your entries. |
|
Step 7 |
copy running-config startup-config Example: |
(Optional) Saves your entries in the configuration file. |
Repeat the steps if you have multiple items that you want in effect at different times.
You can use numbered ACLs to control access to one or more terminal lines. You cannot apply named ACLs to lines. You must set identical restrictions on all the virtual terminal lines because a user can attempt to connect to any of them.
Follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password if prompted. |
|
Step 2 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 3 |
line [console | vty] line-number Example: |
Identifies a specific line to configure, and enter in-line configuration mode.
The line-number is the first line number in a contiguous group that you want to configure when the line type is specified. The range is from 0 to 16. |
|
Step 4 |
access-class access-list-number {in | out } Example: |
Restricts incoming and outgoing connections between a particular virtual terminal line (into a device) and the addresses in an access list. |
|
Step 5 |
end Example: |
Returns to privileged EXEC mode. |
|
Step 6 |
show running-config Example: |
Verifies your entries. |
|
Step 7 |
copy running-config startup-config Example: |
(Optional) Saves your entries in the configuration file. |
This section describes how to apply IPv4 ACLs to network interfaces.
Beginning in privileged EXEC mode, follow the procedure given below to control access to an interface:
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
configure terminal Example: |
Enters global configuration mode. |
|
Step 2 |
interface interface-id Example: |
Identifies a specific interface for configuration, and enter interface configuration mode. The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface (router ACL). |
|
Step 3 |
ip access-group {access-list-number | name} {in | out} Example: |
Controls access to the specified interface. |
|
Step 4 |
end Example: |
Returns to privileged EXEC mode. |
|
Step 5 |
show running-config Example: |
Displays the access list configuration. |
|
Step 6 |
copy running-config startup-config Example: |
(Optional) Saves your entries in the configuration file. |
You can monitor IPv4 ACLs by displaying the ACLs that are configured on the switch, and displaying the ACLs that have been applied to interfaces and VLANs.
When you use the ip access-group interface configuration command to apply ACLs to a Layer 2 or 3 interface, you can display the access groups on the interface. You can also display the MAC ACLs applied to a Layer 2 interface. You can use the privileged EXEC commands as described in this table to display this information.
| Command | Purpose |
|---|---|
|
show access-lists [number | name] |
Displays the contents of one or all current IP and MAC address access lists or a specific access list (numbered or named). |
|
show ip access-lists [number | name] |
Displays the contents of all current IP access lists or a specific IP access list (numbered or named). |
|
show ip interface interface-id |
Displays detailed configuration and status of an interface. If IP is enabled on the interface and ACLs have been applied by using the ip access-group interface configuration command, the access groups are included in the display. |
|
show running-config [interface interface-id] |
Displays the contents of the configuration file for the switch or the specified interface, including all configured MAC and IP access lists and which access groups are applied to an interface. |
|
show mac access-group [interface interface-id] |
Displays MAC access lists applied to all Layer 2 interfaces or the specified Layer 2 interface. |
This shows a small networked office environment with routed Port 2 connected to Server A, containing benefits and other information that all employees can access, and routed Port 1 connected to Server B, containing confidential payroll data. All users can access Server A, but Server B has restricted access.
Use router ACLs to do this in one of two ways:
Create a standard ACL, and filter traffic coming to the server from Port 1.
Create an extended ACL, and filter traffic coming from the server into Port 1.
In this example, network 10.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 10.0.0.0 address specify a particular host. Using access list 2, the switch accepts one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the switch accepts addresses on all other network 10.0.0.0 subnets. The ACL is applied to packets entering a port.
Device(config)# access-list 2 permit 10.48.0.3
Device(config)# access-list 2 deny 10.48.0.0 0.0.255.255
Device(config)# access-list 2 permit 10.0.0.0 0.255.255.255
Device(config)# interface gigabitethernet2/0/1
Device(config-if)# ip access-group 2 in
In this example, the first line permits any incoming TCP connections with destination ports greater than 1023. The second line permits incoming TCP connections to the Simple Mail Transfer Protocol (SMTP) port of host 128.88.1.2. The third line permits incoming ICMP messages for error feedback.
Device(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 gt 1023
Device(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25
Device(config)# access-list 102 permit icmp any any
Device(config)# interface gigabitethernet2/0/1
Device(config-if)# ip access-group 102 in
In this example, suppose that you have a network connected to the Internet, and you want any host on the network to be able to form TCP connections to any host on the Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on your network, except to the mail (SMTP) port of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same port numbers are used throughout the life of the connection. Mail packets coming in from the Internet have a destination port of 25. Outbound packets have the port numbers reversed. Because the secure system of the network always accepts mail connections on port 25, the incoming and outgoing services are separately controlled. The ACL must be configured as an input ACL on the outbound interface and an output ACL on the inbound interface.
Device(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 23
Device(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 25
Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip access-group 102 in
In this example, the network is a Class B network with the address 128.88.0.0, and the mail host address is 128.88.1.2. The established keyword is used only for the TCP to show an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which show that the packet belongs to an existing connection. Gigabit Ethernet interface 1 on stack member 1 is the interface that connects the router to the Internet.
Device(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established
Device(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25
Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip access-group 102 in
This example creates a standard ACL named internet_filter and an extended ACL named marketing_group. The internet_filter ACL allows all traffic from the source address 1.2.3.4.
Device(config)# ip access-list standard Internet_filter
Device(config-ext-nacl)# permit 1.2.3.4
Device(config-ext-nacl)# exit
The marketing_group ACL allows any TCP Telnet traffic to the destination address and wildcard 171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits ICMP traffic, denies UDP traffic from any source to the destination address range 171.69.0.0 through 179.69.255.255 with a destination port less than 1024, denies any other IP traffic, and provides a log of the result.
Device(config)# ip access-list extended marketing_group
Device(config-ext-nacl)# permit tcp any 171.69.0.0 0.0.255.255 eq telnet
Device(config-ext-nacl)# deny tcp any any
Device(config-ext-nacl)# permit icmp any any
Device(config-ext-nacl)# deny udp any 171.69.0.0 0.0.255.255 lt 1024
Device(config-ext-nacl)# deny ip any any log
Device(config-ext-nacl)# exit
The Internet_filter ACL is applied to outgoing traffic and the marketing_group ACL is applied to incoming traffic on a Layer 3 port.
Device(config)# interface gigabitethernet3/0/1
Device(config-if)# no switchport
Device(config-if)# ip address 2.0.5.1 255.255.255.0
Device(config-if)# ip access-group Internet_filter out
Device(config-if)# ip access-group marketing_group in
This example shows how you can delete individual ACEs from the named access list border-list:
Device(config)# ip access-list extended border-list
Device(config-ext-nacl)# no permit ip host 10.1.1.3 any
The following access list entry can be created because up to ten ports can be entered after the eq and neq operators:
ip access-list extended aaa
permit tcp any eq telnet ftp any eq 23 45 34
end
Enter the show access-lists command to display the newly created access list entry.
Device# show access-lists aaa
Extended IP access list aaa
10 permit tcp any eq telnet ftp any eq 23 45 34The show access-lists command is used to display a group of access list entries for the access list named abc:
Device# show access-lists abc
Extended IP access list abc
10 permit tcp any eq telnet any eq 450
20 permit tcp any eq telnet any eq 679
30 permit tcp any eq ftp any eq 450
40 permit tcp any eq ftp any eq 679
Because the entries are all for the same permit statement and simply show different ports, they can be consolidated into one new access list entry. The following example shows the removal of the redundant access list entries and the creation of a new access list entry that consolidates the previously displayed group of access list entries:
ip access-list extended abc
no 10
no 20
no 30
no 40
permit tcp any eq telnet ftp any eq 450 679
end
When the show access-lists command is reentered, the consolidated access list entry is displayed:
Device# show access-lists abc
Extended IP access list abc
10 permit tcp any eq telnet ftp any eq 450 679The following example shows an access list before and after resequencing. The starting value is 1, and increment value is 2. The subsequent entries are ordered based on the increment values that users provide, and the range is from 1 to 2147483647.
When an entry with no sequence number is entered, by default it has a sequence number of 10 more than the last entry in the access list.
Router# show access-list carls
Extended IP access list carls
10 permit ip host 10.3.3.3 host 172.16.5.34
20 permit icmp any any
30 permit tcp any host 10.3.3.3
40 permit ip host 10.4.4.4 any
50 Dynamic test permit ip any any
60 permit ip host 172.16.2.2 host 10.3.3.12
70 permit ip host 10.3.3.3 any log
80 permit tcp host 10.3.3.3 host 10.1.2.2
90 permit ip host 10.3.3.3 any
100 permit ip any any
Router(config)# ip access-list extended carls
Router(config)# ip access-list resequence carls 1 2
Router(config)# end
Router# show access-list carls
Extended IP access list carls
1 permit ip host 10.3.3.3 host 172.16.5.34
3 permit icmp any any
5 permit tcp any host 10.3.3.3
7 permit ip host 10.4.4.4 any
9 Dynamic test permit ip any any
11 permit ip host 172.16.2.2 host 10.3.3.12
13 permit ip host 10.3.3.3 any log
15 permit tcp host 10.3.3.3 host 10.1.2.2
17 permit ip host 10.3.3.3 any
19 permit ip any anyIn the following example, an new entry (sequence number 15) is added to an access list:
Router# show ip access-list
Standard IP access list tryon
2 permit 10.4.4.2, wildcard bits 0.0.255.255
5 permit 10.0.0.44, wildcard bits 0.0.0.255
10 permit 10.0.0.1, wildcard bits 0.0.0.255
20 permit 10.0.0.2, wildcard bits 0.0.0.255
Router(config)# ip access-list standard tryon
Router(config-std-nacl)# 15 permit 10.5.5.5 0.0.0.255
Router# show ip access-list
Standard IP access list tryon
2 permit 10.4.0.0, wildcard bits 0.0.255.255
5 permit 10.0.0.0, wildcard bits 0.0.0.255
10 permit 10.0.0.0, wildcard bits 0.0.0.255
15 permit 10.5.5.0, wildcard bits 0.0.0.255
20 permit 10.0.0.0, wildcard bits 0.0.0.255The following example shows how an entry with no specified sequence number is added to the end of an access list. When an entry is added without a sequence number, it is automatically given a sequence number that puts it at the end of the access list. Because the default increment is 10, the entry will have a sequence number 10 higher than the last entry in the existing access list.
Router(config)# ip access-list standard resources
Router(config-std-nacl)# permit 10.1.1.1 0.0.0.255
Router(config-std-nacl)# permit 10.2.2.2 0.0.0.255
Router(config-std-nacl)# permit 10.3.3.3 0.0.0.255
Router# show access-list
Standard IP access list resources
10 permit 10.1.1.1, wildcard bits 0.0.0.255
20 permit 10.2.2.2, wildcard bits 0.0.0.255
30 permit 10.3.3.3, wildcard bits 0.0.0.255
Router(config)# ip access-list standard resources
Router(config-std-nacl)# permit 10.4.4.4 0.0.0.255
Router(config-std-nacl)# end
Router# show access-list
Standard IP access list resources
10 permit 10.1.1.1, wildcard bits 0.0.0.255
20 permit 10.2.2.2, wildcard bits 0.0.0.255
30 permit 10.3.3.3, wildcard bits 0.0.0.255
40 permit 10.4.4.4, wildcard bits 0.0.0.255In this example of a numbered ACL, the workstation that belongs to Jones is allowed access, and the workstation that belongs to Smith is not allowed access:
Device(config)# access-list 1 remark Permit only Jones workstation through
Device(config)# access-list 1 permit 171.69.2.88
Device(config)# access-list 1 remark Do not allow Smith workstation through
Device(config)# access-list 1 deny 171.69.3.13
In this example of a numbered ACL, the Winter and Smith workstations are not allowed to browse the web:
Device(config)# access-list 100 remark Do not allow Winter to browse the web
Device(config)# access-list 100 deny host 171.69.3.85 any eq www
Device(config)# access-list 100 remark Do not allow Smith to browse the web
Device(config)# access-list 100 deny host 171.69.3.13 any eq www
In this example of a named ACL, the Jones subnet is not allowed access:
Device(config)# ip access-list standard prevention
Device(config-std-nacl)# remark Do not allow Jones subnet through
Device(config-std-nacl)# deny 171.69.0.0 0.0.255.255
In this example of a named ACL, the Jones subnet is not allowed to use outbound Telnet:
Device(config)# ip access-list extended telnetting
Device(config-ext-nacl)# remark Do not allow Jones subnet to telnet out
Device(config-ext-nacl)# deny tcp 171.69.0.0 0.0.255.255 any eq telnet
This example shows how to verify after you configure time ranges for workhours and to configure January 1, 2006, as a company holiday.
Device# show time-range
time-range entry: new_year_day_2003 (inactive)
absolute start 00:00 01 January 2006 end 23:59 01 January 2006
time-range entry: workhours (inactive)
periodic weekdays 8:00 to 12:00
periodic weekdays 13:00 to 17:00
To apply a time range, enter the time-range name in an extended ACL that can implement time ranges. This example shows how to create and verify extended access list 188 that denies TCP traffic from any source to any destination during the defined holiday times and permits all TCP traffic during work hours.
Device(config)# access-list 188 deny tcp any any time-range new_year_day_2006
Device(config)# access-list 188 permit tcp any any time-range workhours
Device(config)# end
Device# show access-lists
Extended IP access list 188
10 deny tcp any any time-range new_year_day_2006 (inactive)
20 permit tcp any any time-range workhours (inactive)
This example uses named ACLs to permit and deny the same traffic.
Device(config)# ip access-list extended deny_access
Device(config-ext-nacl)# deny tcp any any time-range new_year_day_2006
Device(config-ext-nacl)# exit
Device(config)# ip access-list extended may_access
Device(config-ext-nacl)# permit tcp any any time-range workhours
Device(config-ext-nacl)# end
Device# show ip access-lists
Extended IP access list lpip_default
10 permit ip any any
Extended IP access list deny_access
10 deny tcp any any time-range new_year_day_2006 (inactive)
Extended IP access list may_access
10 permit tcp any any time-range workhours (inactive)
This example denies HTTP traffic on IP on Monday through Friday between the hours of 8:00 a.m. and 6:00 p.m (18:00). The example allows UDP traffic only on Saturday and Sunday from noon to 8:00 p.m. (20:00).
Device(config)# time-range no-http
Device(config)# periodic weekdays 8:00 to 18:00
!
Device(config)# time-range udp-yes
Device(config)# periodic weekend 12:00 to 20:00
!
Device(config)# ip access-list extended strict
Device(config-ext-nacl)# deny tcp any any eq www time-range no-http
Device(config-ext-nacl)# permit udp any any time-range udp-yes
!
Device(config-ext-nacl)# exit
Device(config)# interface gigabitethernet2/0/1
Device(config-if)# ip access-group strict in
Two variations of logging are supported on ACLs. The log keyword sends an informational logging message to the console about the packet that matches the entry; the log-input keyword includes the input interface in the log entry.
In this example, standard named access list stan1 denies traffic from 10.1.1.0 0.0.0.255, allows traffic from all other sources, and includes the log keyword.
Device(config)# ip access-list standard stan1
Device(config-std-nacl)# deny 10.1.1.0 0.0.0.255 log
Device(config-std-nacl)# permit any log
Device(config-std-nacl)# exit
Device(config)# interface gigabitethernet1/0/1
Device(config-if)# ip access-group stan1 in
Device(config-if)# end
Device# show logging
Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)
Console logging: level debugging, 37 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: level debugging, 37 messages logged
File logging: disabled
Trap logging: level debugging, 39 message lines logged
Log Buffer (4096 bytes):
00:00:48: NTP: authentication delay calculation problems
<output truncated>
00:09:34:%SEC-6-IPACCESSLOGS:list stan1 permitted 0.0.0.0 1 packet
00:09:59:%SEC-6-IPACCESSLOGS:list stan1 denied 10.1.1.15 1 packet
00:10:11:%SEC-6-IPACCESSLOGS:list stan1 permitted 0.0.0.0 1 packet
This example is a named extended access list ext1 that permits ICMP packets from any source to 10.1.1.0 0.0.0.255 and denies all UDP packets.
Device(config)# ip access-list extended ext1
Device(config-ext-nacl)# permit icmp any 10.1.1.0 0.0.0.255 log
Device(config-ext-nacl)# deny udp any any log
Device(config-std-nacl)# exit
Device(config)# interface gigabitethernet1/0/2
Device(config-if)# ip access-group ext1 in
This is a an example of a log for an extended ACL:
01:24:23:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp 10.1.1.15 -> 10.1.1.61 (0/0), 1 packet
01:25:14:%SEC-6-IPACCESSLOGDP:list ext1 permitted icmp 10.1.1.15 -> 10.1.1.61 (0/0), 7 packets
01:26:12:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) -> 255.255.255.255(0), 1 packet
01:31:33:%SEC-6-IPACCESSLOGP:list ext1 denied udp 0.0.0.0(0) -> 255.255.255.255(0), 8 packets
Note that all logging entries for IP ACLs start with %SEC-6-IPACCESSLOG with minor variations in format depending on the kind of ACL and the access entry that has been matched.
This is an example of an output message when the log-input keyword is entered:
00:04:21:%SEC-6-IPACCESSLOGDP:list inputlog permitted icmp 10.1.1.10 (Vlan1 0001.42ef.a400) ->
10.1.1.61 (0/0), 1 packet
A log message for the same sort of packet using the log keyword does not include the input interface information:
00:05:47:%SEC-6-IPACCESSLOGDP:list inputlog permitted icmp 10.1.1.10 -> 10.1.1.61 (0/0), 1 packet
If this ACL manager message appears and [chars] is the access-list name,
ACLMGR-2-NOVMR: Cannot generate hardware representation of access list [chars]
The switch has insufficient resources to create a hardware representation of the ACL. The resources include hardware memory and label space but not CPU memory. A lack of available logical operation units or specialized hardware resources causes this problem. Logical operation units are needed for a TCP flag match or a test other than eq (ne , gt , lt , or range ) on TCP, UDP, or SCTP port numbers.
Use one of these workarounds:
Modify the ACL configuration to use fewer resources.
Rename the ACL with a name or number that alphanumerically precedes the ACL names or numbers.
To determine the specialized hardware resources, enter the show platform layer4 acl map privileged EXEC command. If the switch does not have available resources, the output shows that index 0 to index 15 are not available.
For more information about configuring ACLs with insufficient resources, see CSCsq63926 in the Bug Toolkit.
For example, if you apply this ACL to an interface:
permit tcp source source-wildcard destination destination-wildcard range 5 60
permit tcp source source-wildcard destination destination-wildcard range 15 160
permit tcp source source-wildcard destination destination-wildcard range 115 1660
permit tcp source source-wildcard destination destination-wildcard
And if this message appears:
ACLMGR-2-NOVMR: Cannot generate hardware representation of access list [chars]
The flag-related operators are not available. To avoid this issue,
Move the fourth ACE before the first ACE by using ip access-list resequence global configuration command:
permit tcp source source-wildcard destination destination-wildcard
permit tcp source source-wildcard destination destination-wildcard range 5 60
permit tcp source source-wildcard destination destination-wildcard range 15 160
permit tcp source source-wildcard destination destination-wildcard range 115 1660
or
Rename the ACL with a name or number that alphanumerically precedes the other ACLs (for example, rename ACL 79 to ACL 1).
You can now apply the first ACE in the ACL to the interface. The switch allocates the ACE to available mapping bits in the Opselect index and then allocates flag-related operators to use the same bits in the hardware memory.
| MIB | MIBs Link |
|---|---|
|
All the supported MIBs for this release. |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: |
| Description | Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
| Release | Feature Information |
|---|---|
| Cisco IOS Release 15.0(2)EX |
IPv4 Access Control Lists perform packet filtering to control which packets move through the network and where. Such control provides security by helping to limit network traffic, restrict the access of users and devices to the network, and prevent traffic from leaving a network. This feature was introduced. |
|
Cisco IOS 15.2(2)E |
The Named ACL Support for Noncontiguous Ports on an Access Control Entry feature allows you to specify noncontiguous ports in a single access control entry, which greatly reduces the number of entries required in an access control list when several entries have the same source address, destination address, and protocol, but differ only in the ports. |
|
Cisco IOS 15.2(2)E |
The IP Access List Entry Sequence Numbering feature helps users to apply sequence numbers to permit or deny statements and also reorder, add, or remove such statements from a named IP access list. This feature makes revising IP access lists much easier. Prior to this feature, users could add access list entries to the end of an access list only; therefore needing to add statements anywhere except the end required reconfiguring the access list entirely. The following commands were introduced or modified: deny (IP) , ip access-list resequence deny (IP) , permit (IP) . |
Feedback