access-list

access-list

Defines an access list.

Syntax: [no] access-list list-name [permit|deny] protocol source source-mask [operator operand] destination destination-mask [proto-type][operator operand][established][fragment]
[sample tag-name][log][rate-limit tag-name]

list-name

Name of this access list. List names may be up to 256 characters and may consist of any alpha-numeric characters, the underscore (_), and the hyphen (-). Case is significant.

permit

Permits access if conditions match.

deny

Denies access if conditions match.

protocol

Protocol whose packets are to be controlled. Valid values are:

0 - 255 - an IP protocol number

tcp - TCP packets

udp - UDP packets

icmp - ICMP packets

igmp - IGMP packets

ospf - OSPF packets

pim - PIM packets

ip - any IP packet, including TCP, UDP and ICMP

source

IP address of network or host from which packet is being received. The router compares routes being tested to this value. Specify the address using one of the following formats:

32-bit IP address in dotted decimal format.

keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255

keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0

source-mask

Network mask applied to the source address. Specify as a 32-bit IP address in dotted decimal format.

destination

IP address of network or host to which packet is being sent. Specify the address using one of the following formats:

32-bit IP address in dotted decimal format.

keyword any to specify a destination and destination-mask of 0.0.0.0 255.255.255.255

keyword host followed by the host address in dotted decimal notation to specify destination-mask of 0.0.0.0

destination-mask

Network mask applied to the destination address. Specify as a 32-bit IP address in dotted decimal format.

proto-type

Protocol message type, valid values are (Packet Filtering only):

{icmp-type [icmp-code] | icmpMessage}- Specifies an ICMP message type with an optional code or an ICMP message text. Only valid if protocol is ICMP.

igmp-type - Specifies an IGMP message type. Only valid if protocol is IGMP.

operator

For udp and tcp packets only. Compares destination ports.

When used after the source IP address/source-mask, specifies a source port.

When used after the destination IP address/destination-mask, specifies a destination port.

Valid values are:

eq - specifies the port number is equal to the operand.

range - specifies an inclusive range of ports in the operand delineated by a space, i.e. 1 3 specifies ports 1 through 3..

operand

Specifies the destination port. Valid values are either a port number or a predefined port number keyword:

0 - 65535 - port number

Predefined port number keywords for tcp are:

bgp - BGP routing protocol packets

domain - DNS packets

echo - UDP echo port

exec - RSH protocol

ftp - FTP protocol commands. To enable FTP on the Avici router, both the ftp and ftp data packet types must be permitted.

ftp-data - FTP protocol data

login - Remote login packets

sunrpc - standard RPC protocol

syslog - UNIX syslog

telnet - Telnet connections

Predefined port number keywords for udp are:

bootpc - Client port for the bootp protocol

bootps - Server port for the bootp protocol

domain - DNS packets

echo - UDP echo port

ntp - Network Time Protocol packets

rip - RIP routing protocol packets

snmp - SNMP packets

sunrpc - standard RPC protocol

syslog - UNIX syslog

tftp - Trivial File Transfer protocol packets

established

For tcp protocol only. Indicates an established connection. A match occurs if the tcp datagram has the ACK or RST bits set.

fragment

Match occurs on packet fragments (those packets with a non-zero offset in their IP header). This keyword can not be used if a port number is specified or if the established keyword is used.

sample tag-name

Sends a mirror copy of the packet to the preconfigured interface mirror port using the mirror command. The tag-name is pre-configured name of the sample using the sample command. (Packet Filtering only)

log

Generates a SYSLOG message when at least one match occurs within 10 seconds. (Packet Filtering only)

rate-limit tag-name

Rate limits the received bandwidth to the rate configured in the rate limit configuration tag-name. This configuration is preconfigured using the rate-limit command. (Packet Filtering only)

Description: Access lists are filters that enable you to:

Restrict the routing information a router learns from or advertises to a neighbor.

Restrict inbound packets bound for either the server or fabric.

You can define access lists filters based on any of four elements:

address based access lists identify routes you want to control by network address number. Use the access-list or ip access-list commands to create a address-based access list.

as-path based access lists identify routes you want to control by autonomous system path. Use the ip as-path access-list command to create an autonomous system path based access list.

community-based access lists identify BGP routes you want to control by community. Use the ip community-list command to create a community-based access list.

packet based access lists identify packets by protocol entering a router bound for either the fabric or server, as well as server sourced packets that you want to control.

Standard access lists create filters based on source addresses. Extended access lists create filters based on source addresses, destination addresses, protocol, port number and other features.

Multiple BGP peers or route maps can reference a single access list. You can apply access lists to both inbound and outbound traffic.

Each packet is passed through the access list. The rules in the access list are applied in the order in which they appear in the list. When a packet matches any rule, the decision to permit the packet through the filter or deny it is made, and no further rules are processed.

This means that the order of commands in your access list is very important. Make entries in your access lists in descending order of likelihood of finding a match. List entries with the greatest probability of being matched before entries with the smallest probability of being matched. This order reduces the time spent processing each packet as it is passed through an access list.

NOTE Internally, some code uses TCP sockets to communicate between tasks using the internal loopback address (127.0.0.1). Packet filtering behaves as though the following line was the first entry of every access-list:

permit ip host 127.0.0.1 host 127.0.0.1

NOTE Access lists implicitly deny all access that is not expressly permitted. The following line is auto-appended to all access-lists:

deny ip any any

You cannot modify an existing access list in your configuration file. Instead, you must use the no option to delete the list and then retype the entire list. We recommend you keep your access lists in separate files, allowing you to cut and paste entries into your configuration file.

Use the access-list list-name [permit|deny] source source-mask syntax to create a standard address-based access list. Add entries to the list by repeating the command for different IP addresses.

Use the access-list list-name [permit|deny] source source-mask destination destination-mask syntax to create an extended address-based access list. Add entries to the list by repeating the command for different IP addresses.

Use the access-list list-name [permit|deny] ip source source-mask destination destination-mask [log] [sample] [rate-limit] syntax to create an IP extended packet-based access list to filter any IP protocol packet, including ICMP, TCP, and UDP, based on their source, destination, protocol, destination port, connection state.

Use the access-list list-name [permit|deny] icmp source source-mask destination destination-mask [proto-type] [log] [sample] [rate-limit] syntax to create an ICMP packet-based access list to filter any ICMP protocol packet, based on their source, destination, protocol, destination port, connection state.

Use the access-list list-name [permit|deny] igmp source source-mask destination destination-mask [proto-type] [log] [sample] [rate-limit] syntax to create an IGMP packet-based access list to filter any IGMP protocol packet, based on their source, destination, protocol, destination port, connection state.

Use the access-list list-name [permit|deny] tcp source source-mask [operator operand] destination destination-mask [operator operand] [established] [fragment] [log] [sample] [rate-limit] syntax to create a TCP protocol packet-based access list to filter individual packets based on their source, destination, protocol, destination port, connection state and fragmentation.

Use the access-list list-name [permit|deny] udp source source-mask [operator operand] destination destination-mask [operator operand] [fragment] [log] [sample] [rate-limit] syntax to create a UDP protocol packet-based access list to filter individual packets based on their source, destination, protocol, destination port, connection state and fragmentation.

Use the route-map, neighbor distribute-list, and neighbor filter-list commands to apply address-based access lists to routes.

Use the ip access-group interface configuration command to apply packet-based access lists to an interface.

Use the no access list syntax to delete an access list.

Factory Default: Deny statement for all options.

Command Mode: Configuration.

Example 1: In the following example, the 4 access-list commands create a standard access list named ISP4_access that allows access only for hosts on three specified networks:

router(config)#access-list ISP4_access permit 10.5.1.121 0.0.0.255

router(config)#access-list ISP4_access permit 128.20.0.0 0.0 255.255

router(config)#access-list ISP4_access permit 120.0.0.0 0.255.255.255

router(config)#

Only routes that match entries in the access list are permitted. Note the last line of the access list is a deny any statement to remind your reader that all other access is denied.

Example 2: In the following example, the access-list commands create an extended access list allowFTP to permit FTP command and control packets from all sources and destinations:

router(config)#access-list allowFTP permit tcp any any eq ftp

router(config)#access-list allowFTP permit tcp any any eq ftp-data

Example 3: In the following example, the access-list commands create an extended access list denySNMP to deny SNMP packets from all sources and destinations, but permit all other IP traffic:

router(config)#access-list denySNMP deny any any udp eq snmp

router(config)#access-list denySNMP permit ip any any

Example 4: In the following example:

A mirror port is configured to set the destination of interface pos 1/13/1 for any sampled packets received on the pos 1/14/1 interface.

Two sampling frequencies are configured and tag named src-100-d (deny) and src-100-p (permit) and set to 1 in 100 packets.

An extended IP access list is configured named src-filter.

to deny packets from network 12.160/16 with a sample rate of 1 in 100 packets.

to permit packets from network 191/8.

All other packets are permitted without sampling.

IP access-group src-filter is associated with interface pos 1/14/1 for traffic forwarded across the fabric.

An extended IP access-list is configured named forme and is configured with ACLs that deny telnet traffic from network 10.10/16.

The forme IP access-group is made the default inbound filter for messages intended for the server.

router#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

router(config)#interface pos 1/14/1

router(config-if)#mirror pos 1/13/1

router(config-if)#exit

router(config)#sample src-100-d 100

router(config)#sample src-100-p 100

router(config)#ip access-list extended src_filter

router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255 sample src-100-d

router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 sample src-100-p

router(config-ext-nacl)#permit ip any any

router(config-ext-nacl)#exit

router(config)#interface pos 1/14/1

router(config-if)#ip access-group src_filter forward

router(config-if)#exit

router(config)#ip access-list extended forme

router(config-ext-nacl)#deny tcp 10.10.0.0 0.0.255.255 any eq telnet

router(config-ext-nacl)#deny tcp any eq telnet 10.10.0.0 0.0.255.255

router(config-ext-nacl)#exit

router(config)#ip default-access-group forme in

router(config)#end

router#

Related Commands: ip access-list
ip as-path access-list
ip community-list
mirror
rate-limit
sample
show access-lists
show ip access-lists
neighbor distribute-list
neighbor filter-list
ip access-group

list-name	Name of this access list. List names may be up to 256 characters and may consist of any alpha-numeric characters, the underscore (_), and the hyphen (-). Case is significant.
permit	Permits access if conditions match.
deny	Denies access if conditions match.
protocol	Protocol whose packets are to be controlled. Valid values are: 0 - 255 - an IP protocol number tcp - TCP packets udp - UDP packets icmp - ICMP packets igmp - IGMP packets ospf - OSPF packets pim - PIM packets ip - any IP packet, including TCP, UDP and ICMP
source	IP address of network or host from which packet is being received. The router compares routes being tested to this value. Specify the address using one of the following formats: 32-bit IP address in dotted decimal format. keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255 keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0
source-mask	Network mask applied to the source address. Specify as a 32-bit IP address in dotted decimal format.
destination	IP address of network or host to which packet is being sent. Specify the address using one of the following formats: 32-bit IP address in dotted decimal format. keyword any to specify a destination and destination-mask of 0.0.0.0 255.255.255.255 keyword host followed by the host address in dotted decimal notation to specify destination-mask of 0.0.0.0
destination-mask	Network mask applied to the destination address. Specify as a 32-bit IP address in dotted decimal format.
proto-type	Protocol message type, valid values are (Packet Filtering only): {icmp-type [icmp-code] \| icmpMessage}- Specifies an ICMP message type with an optional code or an ICMP message text. Only valid if protocol is ICMP. igmp-type - Specifies an IGMP message type. Only valid if protocol is IGMP.
operator	For udp and tcp packets only. Compares destination ports. When used after the source IP address/source-mask, specifies a source port. When used after the destination IP address/destination-mask, specifies a destination port. Valid values are: eq - specifies the port number is equal to the operand. range - specifies an inclusive range of ports in the operand delineated by a space, i.e. 1 3 specifies ports 1 through 3..
operand	Specifies the destination port. Valid values are either a port number or a predefined port number keyword: 0 - 65535 - port number Predefined port number keywords for tcp are: bgp - BGP routing protocol packets domain - DNS packets echo - UDP echo port exec - RSH protocol ftp - FTP protocol commands. To enable FTP on the Avici router, both the ftp and ftp data packet types must be permitted. ftp-data - FTP protocol data login - Remote login packets sunrpc - standard RPC protocol syslog - UNIX syslog telnet - Telnet connections Predefined port number keywords for udp are: bootpc - Client port for the bootp protocol bootps - Server port for the bootp protocol domain - DNS packets echo - UDP echo port ntp - Network Time Protocol packets rip - RIP routing protocol packets snmp - SNMP packets sunrpc - standard RPC protocol syslog - UNIX syslog tftp - Trivial File Transfer protocol packets
established	For tcp protocol only. Indicates an established connection. A match occurs if the tcp datagram has the ACK or RST bits set.
fragment	Match occurs on packet fragments (those packets with a non-zero offset in their IP header). This keyword can not be used if a port number is specified or if the established keyword is used.
sample tag-name	Sends a mirror copy of the packet to the preconfigured interface mirror port using the mirror command. The tag-name is pre-configured name of the sample using the sample command. (Packet Filtering only)
log	Generates a SYSLOG message when at least one match occurs within 10 seconds. (Packet Filtering only)
rate-limit tag-name	Rate limits the received bandwidth to the rate configured in the rate limit configuration tag-name. This configuration is preconfigured using the rate-limit command. (Packet Filtering only)

router(config)#access-list ISP4_access permit 10.5.1.121 0.0.0.255 router(config)#access-list ISP4_access permit 128.20.0.0 0.0 255.255 router(config)#access-list ISP4_access permit 120.0.0.0 0.255.255.255 router(config)#

router(config)#access-list allowFTP permit tcp any any eq ftp router(config)#access-list allowFTP permit tcp any any eq ftp-data

router(config)#access-list denySNMP deny any any udp eq snmp router(config)#access-list denySNMP permit ip any any

router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#interface pos 1/14/1 router(config-if)#mirror pos 1/13/1 router(config-if)#exit router(config)#sample src-100-d 100 router(config)#sample src-100-p 100 router(config)#ip access-list extended src_filter router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255 sample src-100-d router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 sample src-100-p router(config-ext-nacl)#permit ip any any router(config-ext-nacl)#exit router(config)#interface pos 1/14/1 router(config-if)#ip access-group src_filter forward router(config-if)#exit router(config)#ip access-list extended forme router(config-ext-nacl)#deny tcp 10.10.0.0 0.0.255.255 any eq telnet router(config-ext-nacl)#deny tcp any eq telnet 10.10.0.0 0.0.255.255 router(config-ext-nacl)#exit router(config)#ip default-access-group forme in router(config)#end router#

   Source File Name: Routing_Pol.fm
    HTML File Name: Routing_Pol2.html
    Last Updated: 05/30/02 at 13:22:29

Please email suggestions and comments to: doc@avici.com

access-list

Copyright © 2002 Avici Systems Inc. Avici® and TSR® are registered trademarks of Avici Systems Inc. IPriori™ and SSR™ are trademarks of Avici Systems Inc.

Copyright © 2002 Avici Systems Inc.
Avici® and TSR® are registered trademarks of Avici Systems Inc.
IPriori™ and SSR™ are trademarks of Avici Systems Inc.