ip access-list

---

Defines an IP access list by name and enters access-list configuration mode.

Syntax: [no] ip access-list {standard|extended} name

standard	Defines a standard access list.
extended	Defines an extended access list.
name	Name of this access list. Names may be up to 256 characters and may consist of any alpha-numeric characters, the underscore (_), and the hyphen (-). Case is significant.

Description: Access lists are filters that enable you to restrict the routing information a router learns from or advertises to a neighbor. Standard access lists create filters based on permit/deny, prefix, and prefix don't-care-bits. Extended access lists enable you to specify the type of protocol, network mask, and mask don't-care-bits as well as the elements that you can configure with a standard access list. Extended lists enable you to define range filters with masks and are more flexible for range matching. See access-list.

All IP access lists can be named.

Use the ip access-list command to define a named access list. This command names the access list and changes the command mode to access-list configuration mode. This command is used for address and packet based filtering.

Enter the IP address and network mask for each system the access list controls. Use the permit and deny commands to specify whether that system is permitted access.

Once in access-list configuration mode, use the attributes listed in Table 5-1 to build configuration commands.

Table 5-1. Packet Attributes and Valid Values 

Attribute	Description
permit	Permits access of packet if conditions are matched.
deny	Denies access of packet if conditions are matched.
protocol	Name or number of an Internet protocol. Name keywords are: icmp, igmp, ip, ospf, pim, tcp, or udp. Number entries are standard internet protocol numbers from 0 - 255.
source	IP address of network or host sending the packet. The router compares routes being tested to this value. Specify the address using one of the following formats: 32-bit IP address in dotted decimal format. keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255 keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0
source-mask	Network mask applied to the source address. Specify as a 32-bit IP address in dotted decimal format.
destination	IP address of network or host to which the packet is being sent. Specify the address using one of the following formats: 32-bit IP address in dotted decimal format. keyword any to specify a source and source-mask of 0.0.0.0 255.255.255.255 keyword host followed by the host address in dotted decimal notation which specifies source-mask of 0.0.0.0
destination-mask	Network mask applied to the destination address. Specify as a 32-bit IP address in dotted decimal format.
operator	For udp and tcp packets only. Compares destination ports. When used after the source IP address/source-mask, specifies a source port. When used after the destination IP address/destination-mask, specifies a destination port. Valid values are: eq- specifies the port number is equal to the operand. range- specifies an inclusive range of ports in the operand delineated by a space, i.e. ports 1 through 3 would be entered 1 3.
operand	Specifies the destination port. Valid values are either a port number or a predefined port number keyword: 0 - 65535- port number Predefined port number keywords for tcp are: bgp- BGP routing protocol packets domain- DNS packet echo- UDP echo port exec- RSH protocol ftp- FTP protocol commands. To enable FTP on the Avici router, both the ftp and ftp-data packet types must be permitted. ftp-data- FTP protocol data login- Remote login packets sunrpc- Standard RPC protocol syslog- UNIX syslog telnet- Telnet connections Predefined port number keywords for udp are: bootpc- Server port for the bootp protocol bootps- DNS packets domain- echo - UDP echo port ntp- Network Time Protocol packets rip- RIP routing protocol packets snmp- SNMP packets sunrpc- standard RPC protocol syslog- UNIX syslog tftp - Trivial File Transfer protocol packets
icmpType, icmpCode	ICMP type and code as defined in RFC 792. For ICMP messages only
icmpMessage	ICMP message text. For ICMP messages only.
igmpType	IGMP message type. For IGMP messages only.
established	For tcp protocol only. Indicates an established connection. A match occurs if the tcp datagram has the ACK or RST bits set. The non-matching case is the initial TCP datagram to form a connection.
fragment	Match occurs on packet fragments (those packets with a non-zero offset in their IP header). This keyword can not be used if a port number is specified or if the established keyword is used.
log	Generate a syslog message when at least one match occurs within a 10 second interval.
sample	Send a mirror copy of the packet to the configured interface mirror port.
rate-limit	Limits the rate of the received bandwidth to the configured rate.

Use the [permit|deny] source source-mask syntax to create a standard address-based IP access list entry. Add entries to the list by repeating the command for different IP addresses.

Use the [permit|deny] source source-mask destination destination-mask syntax to create an extended address-based IP access list entry. Add entries to the list by repeating the command for different IP addresses.

Use the [permit|deny] ip source source-mask destination destination-mask [log] [sample] [rate-limit] syntax to create an IP extended packet-based access list entry to filter any IP protocol packet, including ICMP, TCP, and UDP, based on their source, destination, protocol, destination port, connection state.

Use the [permit|deny] icmp source source-mask destination destination-mask [proto-type] [log] [sample] [rate-limit] syntax to create an ICMP packet-based IP access list entry to filter any ICMP protocol packet, based on their source, destination, protocol, destination port, connection state.

Use the [permit|deny] igmp source source-mask destination destination-mask [proto-type] [log] [sample] [rate-limit] syntax to create an IGMP packet-based IP access list entry to filter any IGMP protocol packet, based on their source, destination, protocol, destination port, connection state.

Use the [permit|deny] tcp source source-mask [operator operand] destination destination-mask [operator operand] [established] [fragment] [log] [sample] [rate-limit] syntax to create a TCP protocol packet-based IP access list entry to filter individual packets based on their source, destination, protocol, destination port, connection state and fragmentation.

Use the [permit|deny] udp source source-mask [operator operand] destination destination-mask [operator operand] [fragment] [log] [sample] [rate-limit] syntax to create a UDP protocol packet-based IP access list entry to filter individual packets based on their source, destination, protocol, destination port, connection state and fragmentation.

Use the route-map, neighbor distribute-list, and neighbor filter-list commands to apply address-based access lists to routes.

Use the ip access-group interface configuration command to apply packet-based access lists to an interface.

Use the no ip access list command to delete a named access list.

Note that a deny any statement is automatically appended to all access lists.

Factory Default: No IP access lists defined.

Command Mode: Configuration.

Example 1: In the following example, the ip access-list, deny, and permit commands create a standard access list named ISP1_inbound that only allows hosts on the 2 specified networks:

router(config)#ip access-list standard ISP1_inbound router(config-std-nacl)#permit 205.5.1.121 0.0.0.255 router(config-std-nacl)#permit 128.20.0.0 0.0.255.255 router(config-std-nacl)#exit router(config)#

Example 2: In the following example:

• An extended IP access-list is configured named src-filter set to deny packets from network 12.160/16 with a sample rate of 1 in 100 packets, and to sample packets from network 191/8.
  
  
• All other packets are permitted without sampling.
  
  
• IP access-list src-filter is associated with interface pos 1/14/1 for traffic forwarded across the fabric.
  
  
• An extended IP access-list is configured named forme and is configured with ACLs that deny telnet traffic from network 10.10/16.
  
  
• The forme IP access-list is made the default inbound filter for messages intended for the server. In this case there is no implicit deny all filter at the end. The Avici default forme list is added to any user input.
  
  

router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. router(config)#ip access-list extended src_filter router(config-ext-nacl)#deny ip 12.160.0.0 0.0.255.255 sample src-100-d router(config-ext-nacl)#permit ip 191.0.0.0 0.255.255.255 sample src-100-p router(config-ext-nacl)#permit ip any any router(config-ext-nacl)#exit router(config)#interface pos 1/14/1 router(config-if)#ip access-group src_filter forward router(config-if)#exit router(config)#ip access-group extended forme router(config-ext-nacl)#deny tcp 10.10.0.0 0.0.255.255 any eq telnet router(config-ext-nacl)#deny tcp any eq telnet 10.10.0.0 0.0.255.255 router(config-ext-nacl)#exit router(config)#ip default-access-group forme in router(config)#end router#

Related Commands: access-list
ip as-path access-list
ip community-list
show access-lists
show ip access-lists
neighbor distribute-list
neighbor filter-list

Copyright © 2002 Avici Systems Inc.
Avici® and TSR® are registered trademarks of Avici Systems Inc.
IPriori™ and SSR™ are trademarks of Avici Systems Inc.

   Source File Name: Routing_Pol.fm
    HTML File Name: Routing_Pol6.html
    Last Updated: 05/30/02 at 13:22:29

Please email suggestions and comments to: doc@avici.com