IP access control lists can be used to filter IP packets though an interface. To configure IPv4 access control lists (ACLs),
use the ip
access-list
command. To remove a line from an access list or completely remove the access list, use the corresponding no form of this command.
ip
access-list
name
{
permit
| deny
}
protocol
{
any
|
src-ip
src-mask
}
[
source-ports
]
{
any
|
dst-ip
dst-mask
}
[destination-ports]
[options]
no
ip
access-list
name
{
permit
| deny
}
protocol
{
any
|
src-ip
src-mask
}
[
source-ports
]
{
any
|
dst-ip
dst-mask
}
[destination-ports]
[options]
no
ip
access-list
name
where:
-
protocol—{icmp | ip | tcp [flags {{[ack]} {[all]} {[fin]} {[psh]} {[rst]} {[syn]} {[urg]}}] | udp | protocol-num}
-
source-ports—[eq port {dns | ftp | ftp-data | http | ntp | radius | sftp | smtp | snmp | snmp-trap | ssh | syslog | tacacs-ds | tacacs-plus | telnet | tftp | www | wbem-http | wbem-https | port-num} | gt port
port-num-low | lt port
port-num-high | range port
port-num-low
port-num-high]
-
destination-ports—[eq port {dst_dns | dst_ftp | dst_ftp-data | dst_http | dst_ntp | dst_radius | dst_sftp | dst_smtp | dst_snmp | dst_snmp-trap | dst_ssh | dst_syslog | dst_tacacs-ds | dst_tacacs-plus | dst_telnet | dst_tftp | dst_www | dst_wbem-http | dst_wbem-https | port-num} | gt port
port-num-low | lt port
port-num-high | range port
port-num-low
port-num-high]
-
options—[established | icmp-type {echo | echo-reply | redirect | time-exceeded | unreachable | traceroute | icmp-msg-num} [icmp-code
icmpcode-num]] [tos {delay | throughput | reliability | monetary-cost | normal service}] [log-deny]
Syntax Description
name
|
Specifies an access list name. The maximum length is 28 alphanumeric characters.
|
deny
|
Drops the packet if the conditions match.
|
permit
|
Forwards the packet if the conditions match.
|
protocol
|
Specifies the name or number (integer range from 0 to 255) of an IP protocol. The IP protocol name can be icmp , ip , tcp , or udp .
|
flags
flag-set
|
(Optional) Specifies TCP header flags to match. Multiple flags may be specified, separated by spaces.
The available flag names are:
-
all —Any TCP flag.
-
psh —The Push flag. It indicates the data should be immediately pushed through to the receiving user.
-
fin —The Finish flag. It is used to clear connections.
-
rst —Reset flag. It indicates that the receiver should delete the connection without further interaction.
-
syn —The Synchronize flag. It is used to establish connections.
-
urg —The Urgent flag. It indicates that the urgent field is meaningful and must be added to the segment sequence number.
|
any
|
Specifies any source or destination IP address. The any keyword is synonymous to the address 0.0.0.0 and wildcard mask 255.255.255.255.
|
src-ip src-mask
|
Specifies the network from which the packet is sent. Mask bits are 0 for match and 1 for don't care.
|
dst-ip dst-mask
|
Specifies the network to which the packet is to be sent. Mask bits are 0 for match and 1 for don't care.
|
source-ports
|
Specifies a set of source ports to match.
The syntax of this block is:
operator port-set
The following operators are available:
-
eq — equal to
-
gt — greater than and including
-
lt — less than and including
-
range — a range of source ports (inclusive)
The port-set is a single value for the eq, gt, lt operators and a pair of space separated ports, in low port high port order, for the range operator. Ports may be specified as a number or a name. The range for numbers is 0 to 65535.
The available names are as follows.
TCP:
-
ftp-data (20)
-
ftp (21)
-
ssh (22)
-
telnet (23)
-
smtp (25)
-
tacacs-plus (49)
-
tacacs-ds (65)
-
www (80)
-
sftp (115)
-
http (143)
-
radius (1812)
-
wbem-http (5988)
-
wbem-https (5989)
UDP:
-
dns (53)
-
tftp (69)
-
ntp (123)
-
snmp (161)
-
snmp-trap (162)
-
syslog (514)
|
destination-ports
|
Specifies a set of destination ports to match.
The syntax of this block is:
operator port-set
The following operators are available:
-
eq — equal to
-
gt — greater than and including
-
lt — less than and including
-
range — a range of source ports (inclusive)
The port-set is a single value for the eq, gt, lt operators and a pair of space separated ports, in low port high port order, for the range operator. Ports may be specified as a number or a name. The range for numbers is 0 to 65535.
The available names are as follows.
TCP:
-
dst_ftp-data (20)
-
dst_ftp (21)
-
dst_ssh (22)
-
dst_telnet (23)
-
dst_smtp (25)
-
dst_tacacs-plus (49)
-
dst_tacacs-ds (65)
-
dst_www (80)
-
dst_sftp (115)
-
dst_http (143)
-
dst_radius (1812)
-
dst_wbem-http (5988)
-
dst_wbem-https (5989)
UDP:
-
dst_dns (53)
-
dst_tftp (69)
-
dst_ntp (123)
-
dst_snmp (161)
-
dst_snmp-trap (162)
-
dst_syslog (514)
|
icmp-type
icmp-value
|
Optional) Specifies an ICMP message type to match. icmp-value may be a number or a name. The range for numbers is 0 to 255.
The names are:
-
echo-reply (0)
-
unreachable (3)
-
redirect (5)
-
echo (8)
-
time-exceeded (11)
-
traceroute (30)
|
icmp-code
icmpcode-num
|
(Optional) Specifies an ICMP message code to match as a number. The range of icmpcode-num is from 0 to 255.
|
established
|
(Optional) Indicates an established connection for the TCP protocol. A match occurs if the TCP datagram has the ACK, FIN,
PSH, RST, or URG control bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
|
tos
tos-value
|
(Optional) Specifies the name of a type of service level to match.
The names are:
-
normal-service (0)
-
monetary-cost (1)
-
reliability (2)
-
throughput (4)
-
delay (8)
|
log-deny
|
(Optional) Logs an information level syslog message for each denied packet.
|
Command Default
No IP access lists are configured.
Command Modes
Configuration mode (config)
Command History
Release
|
Modification
|
1.2(1)
|
This command was introduced.
|
Usage Guidelines
An ACL is applied to each packet, starting at the first ACL rule. Each subsequent rule in the ACL is applied until there is
a match. No further rules are applied after this. If there is no match the default rule is applied. Thus, it is important
that rules are configured in the right order to achieve the desired results. Generally, 'deny' rules should be configured
before 'permit' rules to ensure packets are dropped before matching an unintended 'permit' rule.
IP ACLs use an address and a wildcard mask to specify a range of IP addresses. The mask is applied to the specified address
where bits in the mask that are 0 mean the corresponding bits in the specified address are used as written (they cannot change), including 0s. Bits that are 1 in the mask mean the corresponding bits in the address may have any value (they can change and are wild). This is the inverse behaviour of subnet masks.
Using the log-deny option at the end of the individual ACL entries shows the ACL number and whether the packet was permitted or denied, in addition
to port-specific information. This option causes an information logging message about the packet that matches the dropped
entry (or entries).
If the ACL specified does not exist, it is created when you enter this command. If the ACL already exists, new configuration
commands are added to the end of it.
Each interface has a default action that is used when all entries in an IP ACL have been checked and there is no match. For
management and non-IPS Gigabit Ethernet interfaces, this is an implicit deny ip any any action at the end of the IP ACL which will drop the packet. For IP Storage (IPS) interfaces, this is an implicit permit ip any any , which allows any IPS traffic. You must explicitly add a deny ip any any rule at the end of IP ACL for IPS interfaces to match the behaviour of other interfaces.
Table 1. Unsupported Keyword Combinations
Protocol Keyword
|
Unsupported Keywords
|
ip
|
eq
established
gt
lt
range
icmp-type
|
icmp
|
eq
established
gt
lt
range
|
udp
|
established
icmp-type
|
tcp
|
icmp-type
|
Examples
The following example configures an IP ACL called aclPermit and permits IP traffic from any source address to any destination
address:
switch# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# ip access-list aclPermit permit ip any any
The following example removes the IP ACL called aclPermit:
switch# config terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# no ip access-list aclPermit
The following example appends a rule to the IP ACL called aclPermit to deny TCP traffic from any source address to any destination
address:
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# ip access-list aclPermit deny tcp any any
The following example appends a rule to the IP ACL called aclPermitUdp that permits source addresses of 192.168.32.0 to 192.168.39.255.
Subtracting 255.255.248.0 (subnet mask) from 255.255.255.255 yields 0.0.7.255:
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# ip access-list aclPermitUdp permit udp 192.168.32.0 0.0.7.255 any
The following example appends a rule to the IP ACL called aclPermitIpToServer that permits all IP traffic from and to the
specified networks:
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
switch(config)# ip access-list aclPermitIpToServer permit ip 10.1.1.0 0.0.0.255 172.16.1.0 0.0.0.255
The following example appends a rule to the IP ACL called aclDenyTcpIpPrt5 that denies TCP traffic from port 5 and any source
address in the range 1.2.3.0 to 1.2.3.255 to any destination:
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/
switch(config)# ip access-list aclDenyTcpIpPrt5 deny tcp 1.2.3.0 0.0.0.255 eq port 5 any
The following example removes this entry from the IP ACL:
switch# configure terminal
Enter configuration commands, one per line. End with CNTL/
switch(config)# no ip access-list aclDenyTcpIpPrt5 deny tcp 1.2.3.0 0.0.0.255 eq port 5 any