access-list ip

Syntax

access-list ip <ACL-NAME>

    [<SEQUENCE-NUMBER>]
    {permit|deny}
    {any|ah|gre|esp|icmp|igmp|ospf|pim|<IP-PROTOCOL-NUM>}
    {any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]}
    {any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]}
    [dscp {AF11|AF12|AF13|AF21|AF22|AF23|AF31|AF32|AF33|AF41|AF42|AF43|
          CS0|CS1|CS2|CS3|CS4|CS5|CS6|CS7|EF|<DSCP-VALUE>}][ecn <ECN-VALUE>] 
    [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>]
    [fragment] [vlan <VLAN-ID>] [ttl <TTL-VALUE>] [count] [log]

    [<SEQUENCE-NUMBER>]
    {permit|deny}
    {sctp|tcp|udp}
    {any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]}
    [{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>]
    {any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]}
    [{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>]
    [urg] [ack] [psh] [rst] [syn] [fin] [established]
    [dscp {AF11|AF12|AF13|AF21|AF22|AF23|AF31|AF32|AF33|AF41|AF42|AF43|
          CS0|CS1|CS2|CS3|CS4|CS5|CS6|CS7|EF|<DSCP-VALUE>}] [ecn <ECN-VALUE>] 
    [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>]
    [fragment] [vlan <VLAN-ID>] [ttl <TTL-VALUE>] [count] [log]

    [<SEQUENCE-NUMBER>] comment <TEXT-STRING>

Description

Creates an IPv4 access control list (ACL) comprised of one or more access control entries (ACEs) ordered and prioritized by sequence numbers. The lowest sequence number is the highest prioritized ACE.

The no form of this command can be used to delete an ACL (use no with the access list command). And you can delete an individual ACE (use no with the sequence number command).

Command context

config

The access-list ip <ACL-NAME> command takes you into the named ACL context where you enter the access control entries.

Parameters

<ACL-NAME>

Specifies the name of this ACL.

<SEQUENCE-NUMBER>

Specifies a sequence number for the ACE. Optional, in the range of 1- 4294967295.

{permit|deny}

Specifies whether to permit or deny traffic matching this ACE.

comment

Specifies storing the remaining entered text as an ACE comment.

protocol

Select a protocol from the following (enter one only):

  • any - Any IP protocol

  • <IP-PROTOCOL-NUM> - Enter an IP protocol number. Range: 1-255.

  • Enter an IP protocol name from the following list:

    • ah

    • gre

    • esp

    • icmp

    • igmp

    • ospf (version 2)

    • pim

    • sctp

    • tcp

    • udp

{any|<SRC-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]}

Specifies the source IP host, network address, or the keyword any. You can optionally include the following:

  • <PREFIX-LENGTH> - The address bits to mask (CIDR subnet mask notation), range 1-32.

  • <SUBNET-MASK> - The address bits to mask (dotted decimal notation). Optional

{any|<DST-IP-ADDRESS>[/{<PREFIX-LENGTH>|<SUBNET-MASK>}]}

Specifies the destination IP host network address, or the keyword any. You can optionally include the following:

  • <PREFIX-LENGTH> - The address bits to mask (CIDR subnet mask notation), range 1-32.

  • <SUBNET-MASK> - The address bits to mask (dotted decimal notation).

[{eq|gt|lt} <PORT>|range <MIN-PORT> <MAX-PORT>]

Each port to be matched requires a separate hardware entry. The system can run out of hardware resources before the ACE limit is reached when many Layer 4 ports are to be matched.

For example, the 8400 switch supports a maximum of 24,000 ACEs per egress ACL. One ACE containing a source or destination Layer 4 port range of gt 10 results in 4,293,525,625 (65535-10)*(65535-10) hardware entries. This ACE exceeds the hardware capacity of the 8400 switch and cannot be applied.

Specifies matching using one of the following keywords:
  • eq - Layer 4 port is equal to the specified port.

  • gt - Layer 4 port is greater than the specified port.

  • lt - Layer 4 port is less than the specified port.

Relative to either:
  • <PORT> - A single Layer 4 port (range 0-65535).

  • range <MIN-PORT> <MAX-PORT> - A layer 4 port from the minimum to the maximum port inclusive.

urg

Specifies matching on the TCP Flag: Urgent. (Applies only to the "in" (ingress) direction.)

ack

Specifies matching on the TCP Flag: Acknowledgment. (Applies only to the "in" (ingress) direction.)

psh

Specifies matching on the TCP Flag: Push buffered data to receiving application. (Applies only to the "in" (ingress) direction.)

rst

Specifies matching on the TCP Flag: Reset the connection. (Applies only to the "in" (ingress) direction.)

syn

Specifies matching on the TCP Flag: Synchronize sequence numbers. (Applies only to the "in" (ingress) direction.)

fin

Specifies matching on the TCP Flag: Finish connection. (Applies only to the "in" (ingress) direction.)

established

Specifies matching on the TCP Flag: Established connection. (Applies only to the "in" (ingress) direction.)

dscp

Specifies a Differentiated Services Code Point (DSCP) value. Enter either a numeric <DSCP-VALUE> (0-63) or a keyword as follows:

  • AF11 - DSCP 10 (Assured Forwarding Class 1, low drop probability)

  • AF12 - DSCP 12 (Assured Forwarding Class 1, medium drop probability)

  • AF13 - DSCP 14 (Assured Forwarding Class 1, high drop probability)

  • AF21 - DSCP 18 (Assured Forwarding Class 2, low drop probability)

  • AF22 - DSCP 20 (Assured Forwarding Class 2, medium drop probability)

  • AF23 - DSCP 22 (Assured Forwarding Class 2, high drop probability)

  • AF31 - DSCP 26 (Assured Forwarding Class 3, low drop probability)

  • AF32 - DSCP 28 (Assured Forwarding Class 3, medium drop probability)

  • AF33 - DSCP 30 (Assured Forwarding Class 3, high drop probability)

  • AF41 - DSCP 34 (Assured Forwarding Class 4, low drop probability)

  • AF42 - DSCP 36 (Assured Forwarding Class 4, medium drop probability)

  • AF43 - DSCP 38 (Assured Forwarding Class 4, high drop probability)

  • CS0 - DSCP 0 (Class Selector 0: Default)

  • CS1 - DSCP 8 (Class Selector 1: Scavenger)

  • CS2 - DSCP 16 (Class Selector 2: OAM)

  • CS3 - DSCP 24 (Class Selector 3: Signaling)

  • CS4 - DSCP 32 (Class Selector 4: Realtime)

  • CS5 - DSCP 40 (Class Selector 5: Broadcast video)

  • CS6 - DSCP 48 (Class Selector 6: Network control)

  • CS7 - DSCP 56 (Class Selector 7)

  • EF - DSCP 46 (Expedited Forwarding)

ecn <ECN-VALUE>

Specifies an Explicit Congestion Notification value. Range: 0- 3.

fragment

Specifies a fragment packet.

ip-precedence <IP-PRECEDENCE-VALUE>

Specifies an IP precedence value. Range: 0-7.

tos <TOS-VALUE>

Specifies a Type of Service value. Range: 0-31.

ttl <TTL-VALUE>

Specifies a time-to-live value.

vlan <VLAN-ID>

Specifies VLAN tag to match on. 802.1Q VLAN ID.

count

Keeps the hit counts of the number of packets matching this ACE.

log

Keeps a log of the number of packets matching this ACE. The action log can only be combined with deny, not permit.

Authority

Administrators

Usage

When using multiple ACL types (IPv4, IPv6, or MAC) with logging on the same interface, the first packet that matches an ACE with log option is logged. Until the log-timer wait-period is over, any packets matching other ACL types do not create a log. At the end of the wait-period, the switch creates a summary log all the ACLs that were matched, regardless of type.

Examples

Creating an IPv4 ACL with four entries:

switch(config)# access-list ip MY_IP_ACL
switch(config-acl-ip)# 10 permit udp any 172.16.1.0/24
switch(config-acl-ip)# 20 permit tcp 172.16.2.0/16 gt 1023 any
switch(config-acl-ip)# 30 permit tcp 172.26.1.0/24 any syn ack dscp 10
switch(config-acl-ip)# 40 deny any any any count
switch(config-acl-ip)# exit

switch(config)# do show access-list
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
-------------------------------------------------------------------------------
IPv4       MY_IP_ACL
        10 permit                          udp
           any
           172.16.1.0/255.255.255.0
        20 permit                          tcp
           172.16.2.0/255.255.0.0           >  1023
           any
        30 permit                          tcp
           172.26.1.0/255.255.255.0
           any
           dscp: AF11
           ack
           syn
        40 deny                            any
           any
           any
           Hit-counts: enabled

Adding a comment to an existing IPv4 ACE:

switch(config)# access-list ip MY_IP_ACL
switch(config-acl-ip)# 20 comment Permit all TCP ephemeral ports  
switch(config-acl-ip)# exit

switch(config)# do show access-list
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
-------------------------------------------------------------------------------
IPv4       MY_IP_ACL
        10 permit                          udp
           any
           172.16.1.0/255.255.255.0
        20 Permit all TCP ephemeral ports
           permit                          tcp
           172.16.2.0/255.255.0.0           >  1023
           any
        30 permit                          tcp
           172.26.1.0/255.255.255.0
           any
           dscp: AF11
           ack
           syn
        40 deny                            any
           any
           any
           Hit-counts: enabled

Removing a comment from an existing IPv4 ACE:

switch(config)# access-list ip MY_IP_ACL
switch(config-acl-ip)# no 20 comment
switch(config-acl-ip)# exit

switch(config)# do show access-list
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
-------------------------------------------------------------------------------
IPv4       MY_IP_ACL
        10 permit                          udp
           any
           172.16.1.0/255.255.255.0
        20 permit                          tcp
           172.16.2.0/255.255.0.0           >  1023
           any
        30 permit                          tcp
           172.26.1.0/255.255.255.0
           any
           dscp: AF11
           ack
           syn
        40 deny                            any
           any
           any
           Hit-counts: enabled

Adding an ACE (insert line 25) to an existing IPv4 ACL:

switch(config)# access-list ip MY_IP_ACL
switch(config-acl-ip)# 25 permit icmp 172.16.2.0/16 any
switch(config-acl-ip)# exit

switch(config)# do show access-list
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
-------------------------------------------------------------------------------
IPv4       MY_IP_ACL
        10 permit                          udp
           any
           172.16.1.0/255.255.255.0
        20 permit                          tcp
           172.16.2.0/255.255.0.0           >  1023
           any
        25 permit                          icmp
           172.16.2.0/255.255.0.0
        30 permit                          tcp
           172.26.1.0/255.255.255.0
           any
           dscp: AF11
           ack
           syn
        40 deny                            any
           any
           any
           Hit-counts: enabled

Replacing an ACE in an existing IPv4 ACL:

switch(config)# access-list ip MY_IP_ACL
switch(config-acl-ip)# 25 permit icmp 172.17.1.0/16 any
switch(config-acl-ip)# exit

switch(config)# do show access-list
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
-------------------------------------------------------------------------------
IPv4       MY_IP_ACL
        10 permit                          udp
           any
           172.16.1.0/255.255.255.0
        20 permit                          tcp
           172.16.2.0/255.255.0.0           >  1023
           any
        25 permit                          icmp
           172.17.1.0/255.255.0.0
        30 permit                          tcp
           172.26.1.0/255.255.255.0
           any
           dscp: AF11
           ack
           syn
        40 deny                            any
           any
           any
           Hit-counts: enabled

Removing an ACE from an IPv4 ACL:

switch(config)# access-list ip MY_IP_ACL
switch(config-acl-ip)# no 25
switch(config-acl-ip)# exit

switch(config)# do show access-list
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
-------------------------------------------------------------------------------
IPv4       MY_IP_ACL
        10 permit                          udp
           any
           172.16.1.0/255.255.255.0
        20 permit                          tcp
           172.16.2.0/255.255.0.0           >  1023
           any
        30 permit                          tcp
           172.26.1.0/255.255.255.0
           any
           dscp: AF11
           ack
           syn
        40 deny                            any
           any
           any
           Hit-counts: enabled

Removing an IPv4 ACL:

switch(config)# no access-list ip MY_IP_ACL

switch(config)# do show access-list
Type       Name
  Sequence Comment
           Action                          L3 Protocol
           Source IP Address               Source L4 Port(s)
           Destination IP Address          Destination L4 Port(s)
           Additional Parameters
-------------------------------------------------------------------------------
IPv4       MY_IP_ACL2
         1 permit                          udp
           any
           172.16.1.0/255.255.255.0
         2 permit                          tcp
           172.16.2.0/255.255.0.0           >  1023
           any
         3 permit                          tcp
           172.26.1.0/255.255.255.0
           any
           dscp: AF11
           ack
           syn
         4 deny                            any
           any
           any
           Hit-counts: enabled