To set conditions in a named IP access list that will deny packets, use the
deny command in access list configuration mode. To remove a deny condition from an access list, use the
no form of this command.
[sequence-number] deny source [source-wildcard]
[sequence-number] deny protocol source source-wildcard destination destination-wildcard [option option-name] [precedence precedence] [tos tos] [ttl operator value] [log] [time-range time-range-name] [fragments]
no sequence-number
no deny source [source-wildcard]
no deny protocol source source-wildcard destination destination-wildcard
Internet Control Message Protocol (ICMP)
[sequence-number] deny icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [ttl operator value] [log] [time-range time-range-name] [fragments]
Internet Group Management Protocol (IGMP)
[sequence-number] deny igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [ttl operator value] [log] [time-range time-range-name] [fragments]
Transmission Control Protocol (TCP)
[sequence-number] deny tcp source source-wildcard [operator port [port] ] destination destination-wildcard [operator [port] ] [established {match-any | match-all} {+ | - } flag-name | precedence precedence | tos tos | ttl operator value | log | time-range time-range-name | fragments]
User Datagram Protocol (UDP)
[sequence-number] deny udp source source-wildcard [operator port [port] ] destination destination-wildcard [operator [port] ] [precedence precedence] [tos tos] [ttl operator value] [log] [time-range time-range-name] [fragments]
Syntax Description
|
sequence-number
|
(Optional) Sequence number assigned to the deny statement. The sequence number causes the system to insert the statement
in that numbered position in the access list.
|
|
source
|
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
-
Use a 32-bit quantity in four-part dotted-decimal format.
-
Use the
any keyword as an abbreviation for a
source and
source-wildcard of 0.0.0.0 255.255.255.255.
-
Use
host
source as an abbreviation for a
source and
source-wildcard of
source 0.0.0.0.
|
|
source-wildcard
|
Wildcard bits to be applied to the source . There are three alternative ways to specify the source wildcard:
-
Use a 32-bit quantity in four-part dotted-decimal format. Place 1s in the bit positions that you want to ignore.
-
Use the
any keyword as an abbreviation for a
source and
source-wildcard of 0.0.0.0 255.255.255.255.
-
Use
host
source as an abbreviation for a
source and
source-wildcard of
source 0.0.0.0.
|
|
protocol
|
Name or number of an Internet protocol. The
protocol argument can be one of the keywords
eigrp ,
gre ,
icmp ,
igmp ,
ip ,
ipinip ,
nos ,
ospf ,
tcp , or
udp , or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including
ICMP, TCP, and UDP), use the
ip keyword.
|
Note
|
When the
icmp ,
igmp ,
tcp, and
udp keywords are entered, they must be followed with the specific command syntax that is shown for the ICMP, IGMP, TCP, and UDP
forms of the
deny command.
|
|
|
icmp
|
Denies only ICMP packets. When you enter the
icmp keyword, you must use the specific command syntax shown for the ICMP form of the
deny command.
|
|
igmp
|
Denies only IGMP packets. When you enter the
igmp keyword, you must use the specific command syntax shown for the IGMP form of the
deny command.
|
|
tcp
|
Denies only TCP packets. When you enter the
tcp keyword, you must use the specific command syntax shown for the TCP form of the
deny command.
|
|
udp
|
Denies only UDP packets. When you enter the
udp keyword, you must use the specific command syntax shown for the UDP form of the
deny command.
|
|
destination
|
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
-
Use a 32-bit quantity in four-part dotted-decimal format.
-
Use the
any keyword as an abbreviation for the
destination and
destination-wildcard of 0.0.0.0 255.255.255.255.
-
Use
host
destination as an abbreviation for a
destination and
destination-wildcard of
destination 0.0.0.0.
|
|
destination-wildcard
|
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
-
Use a 32-bit quantity in four-part dotted-decimal format. Place 1s in the bit positions that you want to ignore.
-
Use the
any keyword as an abbreviation for a
destination and
destination-wildcard of 0.0.0.0 255.255.255.255.
-
Use
host
destination as an abbreviation for a
destination and
destination-wildcard of
destination 0.0.0.0.
|
|
option
option-name
|
(Optional) Packets can be filtered by IP Options, as specified by a number from 0 to 255 or by the corresponding IP Option
name, as listed in the table in the “Usage Guidelines” section.
|
|
precedence
precedence
|
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by a name.
|
|
tos
tos
|
(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by a name as
listed in the “Usage Guidelines” section of the
access-list (IP extended) command.
|
|
ttl
operator
value
|
(Optional) Compares the TTL value in the packet to the TTL value specified in this
deny statement.
-
The
operator can be
lt (less than),
gt (greater than),
eq (equal),
neq (not equal), or
range (inclusive range).
-
The
value can range from 0 to 255.
-
If the operator is
range , specify two values separated by a space.
-
For Release 12.0S, if the operator is
eq or
neq , only one TTL value can be specified.
-
For all other releases, if the operator is
eq or
neq , as many as 10 TTL values can be specified, separated by a space. If the TTL in the packet matches just one of the possibly
10 values, the entry is considered to be matched.
|
|
log
|
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The
level of messages logged to the console is controlled by the
logging
console command.)
|
|
time-range
time-range-name
|
(Optional) Name of the time range that applies to this
deny statement. The name of the time range and its restrictions are specified by the
time-range and
absolute or
periodic commands, respectively.
|
|
fragments
|
(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly.
For more details about the fragments keyword, see the “Usage Guidelines” section.
|
|
icmp-type
|
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
|
|
icmp-code
|
(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is
a number from 0 to 255.
|
|
icmp-message
|
(Optional) ICMP packets can be filtered by an ICMP message type name or an ICMP message type and code name. The possible
names are listed in the “Usage Guidelines” section of the
access-list (IP extended) command.
|
|
igmp-type
|
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP
message names are listed in the “Usage Guidelines” section of the
access-list (IP extended) command.
|
|
operator
|
(Optional) Compares source or destination ports. Operators include
lt (less than),
gt (greater than),
eq (equal),
neq (not equal), and
range (inclusive range).
If the operator is positioned after the source and source-wildcard arguments, it must match the source port. If the operator
is positioned after the destination and destination-wildcard arguments, it must match the destination port.
The range operator requires two port numbers. Up to ten port numbers can be entered for the
eq (equal) and
neq (not equal) operators. All other operators require one port number.
|
|
port
|
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names
are listed in the “Usage Guidelines” section of the
access-list (IP extended) command.
TCP port names can be used only when filtering TCP. UDP port names can be used only when filtering UDP.
|
|
established
|
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK
or RST bit set. The nonmatching case is that of the initial TCP datagram to form a connection.
|
Note
|
The
established keyword can be used only with the old command-line interface (CLI) format. To use the new CLI format, you must use the
match-any or
match-all keywords followed by the
+ or
- keywords and
flag-name argument.
|
|
|
match-any
|
match-all
|
(Optional) For the TCP protocol only: A match occurs if the TCP datagram has certain TCP flags set or not set. You use the
match-any keyword to allow a match to occur if any of the specified TCP flags are present, or you can use the
match-all keyword to allow a match to occur only if all of the specified TCP flags are present. You must follow the
match-any and
match-all keywords with the
+ or
- keyword and the
flag-name argument to match on one or more TCP flags.
|
|
+
|
-
flag-name
|
(Optional) For the TCP protocol only: The
+ keyword allows IP packets if their TCP headers contain the TCP flags that are specified by the
flag-name argument. The
- keyword filters out IP packets that do not contain the TCP flags specified by the
flag-name argument. You must follow the
+ and
- keywords with the
flag-name argument. TCP flag names can be used only when filtering TCP. Flag names for the TCP flags are as follows:
urg ,
ack ,
psh ,
rst ,
syn , and
fin .
|
Command Default
There are no specific conditions under which a packet is denied passing the named access list.
Command Modes
Access list configuration
Command History
|
Release
|
Modification
|
|
11.2
|
This command was introduced.
|
|
12.0(1)T
|
The
time-range
time-range-name keyword and argument were added.
|
|
12.0(11)
|
The
fragments keyword was added.
|
|
12.2(13)T
|
The igrp keyword was removed because the IGRP protocol is no longer available in Cisco IOS software.
|
|
12.2(14)S
|
The
sequence-number argument was added.
|
|
12.2(15)T
|
The
sequence-number argument was added.
|
|
12.3(4)T
|
The
option
option-name keyword and argument were added. The
match-any ,
match-all,
+ , and
- keywords and the
flag-name argument were added.
|
|
12.3(7)T
|
Command functionality was modified to allow up to ten port numbers to be added after the
eq and
neq operators so that an access list entry can be created with noncontiguous ports.
|
|
12.4(2)T
|
The
ttl
operator
value
keyword and arguments were added.
|
|
12.2(27)SBC
|
This command was integrated into Cisco IOS Release 12.2(27)SBC.
|
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
|
12.2SX
|
This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends
on your feature set, platform, and platform hardware.
|
Usage Guidelines
Use this command following the
ip
access-list command to specify conditions under which a packet cannot pass the named access list.
The
time-range keyword allows you to identify a time range by name. The
time-range ,
absolute , and
periodic commands specify when this
deny statement is in effect.
log Keyword
A log message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP,
UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers.
The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets
permitted or denied in the prior 5-minute interval.
Use the
ip
access-list
log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for
a 5-minute-interval). See the
ip
access-list
log-update command for more information.
The logging facility might drop some logging message packets if there are too many to be handled or if there is more than
one logging message to be handled in 1 second. This behavior prevents the router from crashing because of too many logging
packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches
to an access list.
If you enable Cisco Express Forwarding (CEF) and then create an access list that uses the
log keyword, the packets that match the access list are not CEF-switched. They are fast-switched. Logging disables CEF.
Access List Filtering of IP Options
Access control lists can be used to filter packets with IP Options to prevent routers from being saturated with spurious
packets containing IP Options. To see a complete table of all IP Options, including ones currently not in use, refer to the
latest Internet Assigned Numbers Authority (IANA) information that is available from its URL: www.iana.org.
Cisco IOS software allows you to filter packets according to whether they contain one or more of the legitimate IP Options
by entering either the IP Option value or the corresponding name for the
option-name argument as shown in the table below.
Table 3. IP Option Values and Names
|
IP Option Value or Name
|
Description
|
|
0 to 255
|
IP Options values.
|
|
add-ext
|
Match packets with Address Extension Option (147).
|
|
any-options
|
Match packets with any IP Option.
|
|
com-security
|
Match packets with Commercial Security Option (134).
|
|
dps
|
Match packets with Dynamic Packet State Option (151).
|
|
encode
|
Match packets with Encode Option (15).
|
|
eool
|
Match packets with End of Options (0).
|
|
ext-ip
|
Match packets with Extended IP Options (145).
|
|
ext-security
|
Match packets with Extended Security Option (133).
|
|
finn
|
Match packets with Experimental Flow Control Option (205).
|
|
imitd
|
Match packets with IMI Traffic Descriptor Option (144).
|
|
lsr
|
Match packets with Loose Source Route Option (131).
|
|
mtup
|
Match packets with MTU Probe Option (11).
|
|
mtur
|
Match packets with MTU Reply Option (12).
|
|
no-op
|
Match packets with No Operation Option (1).
|
|
nsapa
|
Match packets with NSAP Addresses Option (150).
|
|
psh
|
Matches the packets on the PSH bit.
|
|
record-route
|
Match packets with Router Record Route Option (7).
|
|
reflect
|
Creates reflexive access list entry.
|
|
rst
|
Matches the packets on the RST bit.
|
|
router-alert
|
Match packets with Router Alert Option (148).
|
|
sdb
|
Match packets with Selective Directed Broadcast Option (149).
|
|
security
|
Match packets with Base Security Option (130).
|
|
ssr
|
Match packets with Strict Source Routing Option (137).
|
|
stream-id
|
Match packets with Stream ID Option (136).
|
|
syn
|
Matches the packets on the SYN bit.
|
|
timestamp
|
Match packets with Time Stamp Option (68).
|
Filtering IP Packets Based on TCP Flags
The access list entries that make up an access list can be configured to detect and drop unauthorized TCP packets by allowing
only the packets that have very specific groups of TCP flags set or not set. Users can select any desired combination of TCP
flags with which to filter TCP packets. Users can configure access list entries in order to allow matching on a flag that
is set and on a flag that is not set. Use the
+ and
- keywords with a flag name to specify that a match is made based on whether a TCP header flag has been set. Use the
match-any and
match-all keywords to allow the packet if any or all, respectively, of the flags specified by the
+ or
- keyword and
flag-name argument have been set or not set.
Access List Processing of Fragments
The behavior of access list entries regarding the use or lack of use of the
fragments keyword can be summarized as follows:
|
If the Access-List Entry Has...
|
Then...
|
|
...no
fragments keyword (the default behavior), and assuming all of the access-list entry information matches,
|
For an access list entry that contains only Layer 3 information:
For an access list entry that contains Layer 3 and Layer 4 information:
-
The entry is applied to nonfragmented packets and initial fragments.
- If the entry is a
permit statement, then the packet or fragment is permitted.
- If the entry is a
deny statement, then the packet or fragment is denied.
-
The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer
3 information, only the Layer 3 portion of an access list entry can be applied. If the Layer 3 portion of the access list
entry matches, and
- If the entry is a
permit statement, then the noninitial fragment is permitted.
- If the entry is a
deny statement, then the next access list entry is processed.
|
Note
|
The
deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.
|
|
|
...the
fragments keyword, and assuming all of the access-list entry information matches,
|
The access list entry is applied only to noninitial fragments. The
fragments keyword cannot be configured for an access list entry that contains any Layer 4 information.
|
Be aware that you should not add the
fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated
independently of the subsequent fragments. An initial fragment will not match an access list
permit or
deny entry that contains the
fragments keyword. The packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access
list entry that does not contain the
fragments keyword. Therefore, you may need two access list entries for every
deny entry. The first
deny entry of the pair will not include the
fragments keyword and applies to the initial fragment. The second
deny entry of the pair will include the
fragments keyword and applies to the subsequent fragments. In the cases in which there are multiple
deny access list entries for the same host but with different Layer 4 ports, a single
deny access list entry with the
fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by
the access list.
Packet fragments of IP datagrams are considered individual packets, and each counts individually as a packet in access list
accounting and access list violation counts.
Note
|
The
fragments keyword cannot solve all cases that involve access lists and IP fragments.
|
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the
match
ip
address command and the access list has entries that match on Layer 4 through 7 information. It is possible that noninitial fragments
pass the access list and are policy-routed, even if the first fragment is not policy-routed.
By using the
fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments
can be made, and it is more likely that policy routing will occur as intended.
Creating an Access List Entry with Noncontiguous Ports
For Cisco IOS Release 12.3(7)T and later releases, you can specify noncontiguous ports on the same access control entry,
which greatly reduces the number of access list entries required for the same source address, destination address, and protocol.
If you maintain large numbers of access list entries, we recommend that you consolidate them when possible by using noncontiguous
ports. You can specify up to ten port numbers following the
eq and
neq operators.
Examples
The following example sets conditions for a standard access list named Internetfilter:
ip access-list standard Internetfilter
deny 192.168.34.0 0.0.0.255
permit 172.16.0.0 0.0.255.255
permit 10.0.0.0 0.255.255.255
! (Note: all other access implicitly denied.)
The following example denies HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m.:
time-range no-http
periodic weekdays 8:00 to 18:00
!
ip access-list extended strict
deny tcp any any eq http time-range no-http
!
interface ethernet 0
ip access-group strict in
The following example adds an entry with the sequence number 25 to extended IP access list 150:
ip access-list extended 150
25 deny ip host 172.16.3.3 host 192.168.5.34
The following example removes the entry with the sequence number 25 from the extended access list example shown above:
no 25
The following example sets a deny condition for an extended access list named filter2. The access list entry specifies that
a packet cannot pass the named access list if it contains the Strict Source Routing IP Option, which is represented by the
IP option value ssr.
ip access-list extended filter2
deny ip any any option ssr
The following example sets a deny condition for an extended access list named kmdfilter1. The access list entry specifies
that a packet cannot pass the named access list if the RST and FIN TCP flags have been set for that packet:
ip access-list extended kmdfilter1
deny tcp any any match-any +rst +fin
The following example shows several
deny statements that can be consolidated into one access list entry with noncontiguous ports. The
show
access-lists command is entered to display a group of access list entries for the access list named abc.
Router# show access-lists abc
Extended IP access list abc
10 deny tcp any eq telnet any eq 450
20 deny tcp any eq telnet any eq 679
30 deny tcp any eq ftp any eq 450
40 deny tcp any eq ftp any eq 679
Because the entries are all for the same
deny statement and simply show different ports, they can be consolidated into one new access list entry. The following example
shows the removal of the redundant access list entries and the creation of a new access list entry that consolidates the previously
displayed group of access list entries:
ip access-list extended abc
no 10
no 20
no 30
no 40
deny tcp any eq telnet ftp any eq 450 679
The following examples shows the creation of the consolidated access list entry:
Router# show access-lists abc
Extended IP access list abc
10 deny tcp any eq telnet ftp any eq 450 679
The following access list filters IP packets containing Type of Service (ToS) level 3 with TTL values 10 and 20. It also
filters IP packets with a TTL greater than 154 and applies that rule to noninitial fragments. It permits IP packets with a
precedence level of flash and a TTL not equal to 1, and sends log messages about such packets to the console. All other packets
are denied.
ip access-list extended canton
deny ip any any tos 3 ttl eq 10 20
deny ip any any ttl gt 154 fragments
permit ip any any precedence flash ttl neq 1 log
Feedback