access-list
Defines an access list.
Syntax: [no] access-list list-name [permit|deny] protocol source source-mask [operator operand] destination destination-mask [proto-type] [operator operand] [established] [fragment] [sample tag-name] [log] [rate-limit tag-name]
Attribute |
Description |
permit |
Permits access of packet if conditions are matched. |
deny |
Denies access of packet if conditions are matched. |
protocol |
Name or number of an Internet protocol. Name keywords are: icmp, igmp, ip, ospf, pim, tcp, or udp. Number entries are standard internet protocol numbers from 0 - 255. If a protocol is not specified, the entry applies to all protocols. |
source |
IP address of network or host sending the packet. The router compares routes being tested to this value. Specify the address using one of the following formats:
- 32-bit IP address in dotted decimal format.
- keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255
- keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0
The sourceattribute applies to all protocols |
source-mask |
Network mask applied to the source address. Specify as a 32-bit IP address in dotted decimal format. The source-mask attribute applies to all protocols. |
destination |
IP address of network or host to which the packet is being sent. Specify the address using one of the following formats:
- 32-bit IP address in dotted decimal format.
- keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255
- keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0
The destination attribute applies to all protocols. |
destination-mask |
Network mask applied to the destination address. Specify as a 32-bit IP address in dotted decimal format. The destination-mask attribute apples to all protocols. |
operator |
For udp and tcp packets only. Compares destination ports.
When used after the source IP address/source-mask, specifies a source port.
When used after the destination IP address/destination-mask, specifies a destination port.
Valid values are:
eq- specifies the port number is equal to the operand.
range- specifies an inclusive range of ports in the operand delineated by a space, i.e. ports 1 through 3 would be entered 1 3. |
operand |
Specifies the destination port. Valid values are either a port number or a predefined port number keyword:
0 - 65535- port number
Predefined port number keywords for tcp are:
- bgp- BGP routing protocol packets
- domain- DNS packet
- echo- UDP echo port
- exec- RSH protocol
- ftp- FTP protocol commands. To enable FTP on the Avici router, both the ftp and ftp-data packet types must be permitted.
- ftp-data- FTP protocol data
- login- Remote login packets
- sunrpc- Standard RPC protocol
- syslog- UNIX syslog
- telnet- Telnet connections
Predefined port number keywords for udp are:
- bootpc- Server port for the bootp protocol
- bootps- DNS packets
- domain- echo - UDP echo port
- ntp- Network Time Protocol packets
- rip- RIP routing protocol packets
- snmp- SNMP packets
- sunrpc- standard RPC protocol
- syslog- UNIX syslog
- tftp - Trivial File Transfer protocol packets
|
icmpType, icmpCode |
ICMP type and code as defined in RFC 792. For ICMP messages only |
icmpMessage |
ICMP message text. For ICMP messages only. |
igmpType |
IGMP message type. For IGMP messages only. |
established |
For tcp protocol only. Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The non-matching case is the initial TCP datagram to form a connection. |
fragment |
Match occurs on packet fragments (those packets with a non-zero offset in their IP header). This keyword can not be used if a port number is specified or if the established keyword is used. |
tos range |
IP TOS byte value or range between 0 - 255. For range, specify the low and high number delineated by a space.
The tos attribute is not used for the ICMP or IGMP protocols. |
precedence range |
An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:5. The parameter can be a range, a value from 0 - 7, or a predefined keyword. The following keywords are supported:
- critical-ecp = 0xa0
- internet-control = 0xc0
- network-control = 0xe0
- flash = 0x60
- flash-override = 0x80
- immediate = 0x40
- priority = 0x20
- routine = 0x00
For range, specify the low and high number delineated by a space. |
dscp range |
An alternate form of expressing the TOS byte. This form matches bits ip.tos 7:2. The parameters can be a range, a value from 0 - 63, or a predefined keyword. The following keywords and predefined values:
- ef = 46
- af11 = 10
- af12 = 12
- af13 = 14
- af21 = 18
- af22 = 20
- af23 = 22
- af31 = 26
- af32 = 28
- af33 = 30
- af41 = 34
- af42 = 36
- af43 = 38
For range, specify the low and high number delineated by a space. |
length range |
The IP length field. The parameter can be either a single exact match value from 0 - 65535 or a range of values. For range, specify the low and high number delineated by a space. The 15 most significant bits are used for the access list length key. |
log |
Generate a syslog message when at least one match occurs within a 10 second interval. The log attribute can be used by all protocols. |
sample sample-name |
Send a mirror copy of the packet to the configured interface mirror port. The sample attribute can be used by all protocols. The sample-nameis any preconfigured sample using the sample command. |
rate-limit rate-limit-name |
Limits the rate of the received bandwidth to the configured rate. The rate-limit attribute can be used by all protocols. The rate-limit-name is any preconfigured rate-limit using the rate-limit command. |
Description: Access lists are filters that enable you to:
- Restrict the routing information a router learns from or advertises to a neighbor.
- Restrict inbound packets bound for either the server or fabric.
You can define access lists filters based on any of four elements:
- address based access lists identify routes you want to control by network address number. Use the access-list or ip access-list commands to create an address-based access list.
- as-path based access lists identify routes you want to control by autonomous system path. Use the ip as-path access-list command to create an autonomous system path based access list.
- community-based access lists identify BGP routes you want to control by community. Use the ip community-list command to create a community-based access list.
- packet based access lists identify packets by protocol entering a router bound for either the fabric or server, as well as server sourced packets that you want to control. Packets forwarded across the fabric must use the ip access-list command in extended mode.
Standard or Extended mode can be specified using the ip access-list command. Standard access lists create filters based on source addresses and are used for server based filtering. Extendedaccess lists create filters based on source addresses, destination addresses, protocol, port number and other features and are used for packet based filtering.
Multiple BGP peers or route maps can reference a single access list. You can apply access lists to both inbound and outbound traffic.
Each packet is passed through the access list. The rules in the access list are applied in the order in which they appear in the list. When a packet matches any rule, the decision to permit the packet through the filter or deny it is made, and no further rules are processed.
This means that the order of commands in your access list is very important. Make entries in your access lists in descending order of likelihood of finding a match. List entries with the greatest probability of being matched before entries with the smallest probability of being matched. This order reduces the time spent processing each packet as it is passed through an access list.
NOTE Internally, some code uses TCP sockets to communicate between tasks using the internal loopback address (127.0.0.1). Packet filtering behaves as though the following line was the first entry of every access-list:
permit ip host 127.0.0.1 host 127.0.0.1
NOTE Access lists implicitly deny all access that is not expressly permitted. The following line is auto-appended to all access-lists:
deny ip any any
If it is desirable to over-ride this implicit denial statement, enter a permit ip any any statement as the last entry in the access-list.
You cannot modify an existing access list in your configuration file. Instead, you must use the no option to delete the list and then retype the entire list. We recommend you keep your access lists in separate files, allowing you to cut and paste entries into your configuration file.
Use the access-list list-name [permit|deny] source source-mask syntax to create a standard address-based access list. Add entries to the list by repeating the command for different IP addresses.
Use the access-list list-name [permit|deny] source source-mask destination destination-mask syntax to create an extended address-based access list. Add entries to the list by repeating the command for different IP addresses.
Use the access-list list-name [permit|deny] ip source source-mask destination destination-mask [log] [sample] [rate-limit] syntax to create an IP extended packet-based access list to filter any IP protocol packet, including ICMP, TCP, and UDP, based on their source, destination, protocol, destination port, connection state.
Use the access-list list-name [permit|deny] icmp source source-mask destination destination-mask [proto-type] [log] [sample] [rate-limit] syntax to create an ICMP packet-based access list to filter any ICMP protocol packet, based on their source, destination, protocol, destination port, connection state.
Use the access-list list-name [permit|deny] igmp source source-mask destination destination-mask [proto-type] [log] [sample] [rate-limit] syntax to create an IGMP packet-based access list to filter any IGMP protocol packet, based on their source, destination, protocol, destination port, connection state.
Use the access-list list-name [permit|deny] tcp source source-mask [operator operand] destination destination-mask [operator operand] [established] [fragment] [log] [sample] [rate-limit] syntax to create a TCP protocol packet-based access list to filter individual packets based on their source, destination, protocol, destination port, connection state and fragmentation.
Use the access-list list-name [permit|deny] udp source source-mask [operator operand] destination destination-mask [operator operand] [fragment] [log] [sample] [rate-limit] syntax to create a UDP protocol packet-based access list to filter individual packets based on their source, destination, protocol, destination port, connection state and fragmentation.
Use the route-map, neighbor distribute-list, and neighbor filter-list commands to apply address-based access lists to routes.
Use the ip access-group interface configuration command to apply packet-based access lists to an interface.
Use the no access list syntax to delete an access list.
Factory Default: Deny statement for all options.
Command Mode: Configuration.
Example 1: In the following example, the 4 access-list commands create a standard access list named ISP4_access that allows access only for hosts on three specified networks:
router(config)#access-list ISP4_access permit 10.5.1.121 0.0.0.255
router(config)#access-list ISP4_access permit 128.20.0.0 0.0 255.255
router(config)#access-list ISP4_access permit 120.0.0.0 0.255.255.255
router(config)#
|
Only routes that match entries in the access list are permitted. Note the last line of the access list is a deny any statement to remind your reader that all other access is denied.
Example 2: In the following example, the access-list commands create an extended access list allowFTP to permit FTP command and control packets from all sources and destinations:
router(config)#access-list allowFTP permit tcp any any eq ftp
router(config)#access-list allowFTP permit tcp any any eq ftp-data
|
Example 3: In the following example, the access-list commands create an extended access list denySNMP to deny SNMP packets from all sources and destinations, but permit all other IP traffic:
router(config)#access-list denySNMP deny any any udp eq snmp
router(config)#access-list denySNMP permit ip any any
|
Example 4: In the following example:
- A mirror port is configured to set the destination of interface pos 1/13/1 for any sampled packets received on the pos 1/14/1 interface.
- Two sampling frequencies are configured and tag named src-100-d (deny) and src-100-p (permit) and set to 1 in 100 packets.
- An extended IP access list is configured named src-filter.
- to deny packets from network 12.160/16 with a sample rate of 1 in 100 packets.
- to permit packets from network 191/8.
- All other packets are permitted without sampling.
- IP access-group src-filter is associated with interface pos 1/14/1 for in-bound traffic forwarded across the fabric.
- An extended IP access-list is configured named forme and is configured with ACLs that deny telnet traffic from network 10.10/16.
- The forme IP access-group is made the default inbound filter for messages intended for the server.
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#interface pos 1/14/1
router(config-if)#mirror pos 1/13/1
router(config-if)#exit
router(config)#sample src-100-d 100
router(config)#sample src-100-p 100
router(config)#ip access-list extended src_filter
router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255 sample src-100-d
router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 sample src-100-p
router(config-ext-nacl)#permit ip any any
router(config-ext-nacl)#exit
router(config)#interface pos 1/14/1
router(config-if)#ip access-group src_filter control-in
router(config-if)#exit
router(config)#ip access-list extended forme
router(config-ext-nacl)#deny tcp 10.10.0.0 0.0.255.255 any eq telnet
router(config-ext-nacl)#deny tcp any eq telnet 10.10.0.0 0.0.255.255
router(config-ext-nacl)#exit
router(config)#ip default-access-group forme control-in
router(config)#end
router#
|
|