Downloads |
Table Of Contents
ACL Support for Filtering IP Options
Restrictions for the ACL Support for Filtering IP Options Feature
Information About ACL Support for Filtering IP Options
Benefits of Using the ACL Support for Filtering IP Options Feature
How to Configure the ACL Support for Filtering IP Options Feature
Configuring Access Lists to Filter Packets That Contain IP Options
ACL Support for Filtering IP Options: Example
Configuring the Access List to Filter Packets That Contain IP Options: Example
ACL Support for Filtering IP Options
The ACL Support for Filtering IP Options feature allows you to use access control lists (ACLs) to filter IP Options packets, in order to prevent routers from becoming saturated with spurious packets containing IP Options. The ACLs provide granular control, and can be used in a complementary fashion with the no ip options command-line interface (CLI) command that is documented in the IP Options Selective Drop feature in Cisco IOS Release 12.3(4)T.
12.3(4)T
This feature was introduced.
12.2(25)S
This feature was integrated into Cisco IOS Release 12.2(25)S.
Feature History for ACL Support for the Filtering IP Options Feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Restrictions for the ACL Support for Filtering IP Options Feature
•
•
•
Restrictions for the ACL Support for Filtering IP Options Feature
Resource Reservation Protocol (RSVP) Multiprotocol Label Switching terminal equipment (MPLS TE), Internet Group Management Protocol Version 2 (IGMPV2), and other protocols that use IP Options packets may not function in drop or ignore mode if this feature is configured.
On most Cisco routers, a packet with IP Options is not switched in hardware, but requires control plane software processing (primarily because there is a need to process the options and rewrite the IP header), so all IP packets with IP Options will be filtered and switched in software. Also, it must be noted that Turbo ACLs do not support ACLs with entries that filter using the option keyword and such ACLs will not get Turbo compiled. This option keyword restriction will not affect any other ACLs on the router. In general, not using Turbo ACLs in such cases is not considered a performance issue because the Cisco IOS software allows for faster ACL processing starting from Cisco IOS Release 12.3(2)T.
The ACL Support for Filtering IP Options feature can be used only with named, extended ACLs.
Note
Information About ACL Support for Filtering IP Options
Before you configure the ACL Support for Filtering IP Options feature, you should understand the following concepts:
•
IP Options
The internet protocol uses four key mechanisms in providing its service: Type of Service, Time to Live, Options, and Header Checksum.
The Options, commonly referred to as IP Options, provide for control functions that are required in some situations but unnecessary for the most common communications. IP Options include provisions for time stamps, security, and special routing.
IP Options may or may not appear in datagrams. They must be implemented by all IP modules (host and gateways). What is optional is their transmission in any particular datagram, not their implementation. In some environments the security option may be required in all datagrams.
The option field is variable in length. There may be zero or more options. IP Options can have one of two formats:
•
•
The option-length octet counts the option-type octet and the option-length octet and the option-data octets.
The option-type octet is viewed as having three fields: a 1-bit copied flag, a 2-bit option class, and a 5-bit option number. These fields form an 8-bit value for the option type field. IP Options are commonly referred to by their 8-bit value.
For a complete list and description of IP Options, refer to the RFC 791 at the following URL:
http://www.faqs.org/rfcs/rfc791.html.
Benefits of Using the ACL Support for Filtering IP Options Feature
•
•
How to Configure the ACL Support for Filtering IP Options Feature
This section contains the following procedures:
•
Configuring Access Lists to Filter Packets That Contain IP Options
The following task configures access lists to filter packets that contain IP Options and verifies that the access lists have been configured correctly.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
ACL Support for Filtering IP Options: Example
This section contains the following configuration example:
•
Configuring the Access List to Filter Packets That Contain IP Options: Example
The following example shows an extended access list named mylist2 that contains access list entries (ACEs) that are configured to permit TCP packets only if they contain the IP Options that are specified in the ACEs:
Router> enableRouter# configure terminalRouter(config)# ip access-list extended mylist2Router(config-ext-nacl)# 10 permit ip any any option eoolRouter(config-ext-nacl)# 20 permit ip any any option record-routeRouter(config-ext-nacl)# 30 permit ip any any option zsuRouter(config-ext-nacl)# 40 permit ip any any option mtupThe show access-list command has been entered to show how many packets were matched and therefore permitted:
Router# show ip access-list mylist2Extended IP access list test10 permit ip any any option eool (1 match)20 permit ip any any option record-route (1 match)30 permit ip any any option zsu (1 match)40 permit ip any any option mtup (1 match)Where to Go Next
You may also want to the enter the no ip options command that is documented in the IP Options Selective Drop feature in Cisco IOS Release 12.3(4)T.
Additional References
The following sections provide references related to the ACL Support for Filtering IP Options feature.
Related Documents
Configuring IP access lists
"Configuring IP Services" chapter in the Cisco IOS IP Configuration Guide
IP access list commands
"IP Addressing and Services Commands" chapter in the Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and Services, Release 12.3 T
Configuring the router to drop or ignore packets containing IP Options
IP Options Selective Drop feature module for Cisco IOS Release 12.3(4)T
Standards
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.
—
MIBs
RFCs
Technical Assistance
Command Reference
This section documents the following modified commands only.
deny (IP)
To set conditions in a named IP access list that will deny packets, use the deny command in access list configuration mode. To remove a deny condition from an access list, use the no form of this command.
[sequence-number] deny source [source-wildcard]
[sequence-number] deny protocol source source-wildcard destination destination-wildcard [option option-name] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
no sequence-number
no deny source [source-wildcard]
no deny protocol source source-wildcard destination destination-wildcard
Internet Control Message Protocol (ICMP)
[sequence-number] deny icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Internet Group Management Protocol (IGMP)
[sequence-number] deny igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Transmission Control Protocol (TCP)
[sequence-number] deny tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [established | {match-any | match-all} {+ | -} flag-name] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
User Datagram Protocol (UDP)
[sequence-number] deny udp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Syntax Description
sequence-number
(Optional) Sequence number assigned to the deny statement, causing the system to insert the statement in that numbered position in the access list.
source
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
•
•
•
source-wildcard
Wildcard bits to be applied to the source. There are three alternative ways to specify the source wildcard:
•
•
•
protocol
Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword. Some protocols allow further qualifiers described later.
destination
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
•
•
•
destination-wildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
•
•
•
option option-name
(Optional) Packets can be filtered by IP Options, as specified by a number from 0 to 255, or by the corresponding IP Option name, as listed in the section "Usage Guidelines."
precedence precedence
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name.
tos tos
(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines" of the access-list (IP extended) command.
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information.
The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.
If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not Cisco Express Forwarding (CEF) switched. They are fast switched. Logging disables CEF.
time-range time-range-name
(Optional) Name of the time range that applies to this deny statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.
fragments
(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.
icmp-type
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code
(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.
igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.
operator
(Optional) Compares source or destination ports. Operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard arguments, it must match the source port.
If the operator is positioned after the destination and destination-wildcard arguments, it must match the destination port.
The range operator requires two port numbers. All other operators require one port number.
port
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.
TCP port names can be used only when filtering TCP. UDP port names can be used only when filtering UDP.
established
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bit set. The nonmatching case is that of the initial TCP datagram to form a connection.
Note
match-any
match-all(Optional) For the TCP protocol only: A match occurs if the TCP datagram has certain TCP flags set or not set. You use the match-any keyword to allow a match to occur if any of the specified TCP flags are present or you can use the match-all keyword to allow a match to occur only if all of the specified TCP flags are present. You must follow the match-any and match-all keywords with the + or - keyword and the flag-name argument to match on one or more TCP flags.
+ - flag-name
(Optional) For the TCP protocol only: The + keyword allows IP packets if their TCP headers contains the TCP flags that are specified by the flag-name argument. The - keyword filters out IP packets that do not contain the TCP flags specified by the flag-name argument. You must follow the + and - keywords with the flag-name argument. TCP flag names can be used only when filtering TCP. Flag names for the TCP flags are as follows: urg, ack, psh, rst, syn, and fin.
Defaults
There are no specific conditions under which a packet is denied passing the named access list.
Command Modes
Access list configuration
Command History
Usage Guidelines
Use this command following the ip access-list command to specify conditions under which a packet cannot pass the named access list.
The time-range keyword allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this deny statement is in effect.
Access List Filtering of IP Options
Access control lists can be used to filter packets with IP Options, to prevent routers from being saturated with spurious packets containing IP Options. To see a complete table of all IP Options, including ones currently not in use, refer to the latest Internet Assigned Numbers Authority (IANA) information that is available from its URL: www.iana.org.
Cisco IOS software allows you to filter packets on whether they contain one or more of the legitimate IP Options by entering either the IP Option value or the corresponding name for the ip-value argument as shown in Table 1:
Table 1 IP Option Values and Names
.
Filtering IP Packets Based on TCP Flags
The ACEs that comprise an access list can be configured to detect and drop unauthorized TCP packets by allowing only the packets that have very specific group of TCP flags set or not set. Users can select any desired combination of TCP flags on which to filter TCP packets. Users can configure ACEs in order to allow matching on a flag set and on a flag not set. Use the + and - keywords with a flag name to specify that a match is made based on whether a TCP header flag has been set. Use the match-any and match-all keywords to allow the packet if any or all, respectively, of the flags specified by the + or - keyword and flag-name argument have been set or not set.
Access List Processing of Fragments
The behavior of access list entries regarding the use or lack of the fragments keyword can be summarized as follows:
Be aware that you should not add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword. The packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.
Note
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.
By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.
Examples
The following example sets a deny condition for a standard access list named Internetfilter:
ip access-list standard Internetfilterdeny 192.5.34.0 0.0.0.255permit 172.16.0.0 0.0.255.255permit 10.0.0.0 0.255.255.255! (Note: all other access implicitly denied)The following example denies HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m.:
time-range no-httpperiodic weekdays 8:00 to 18:00!ip access-list extended strictdeny tcp any any eq http time-range no-http!interface ethernet 0ip access-group strict inThe following example adds an entry with the sequence number 25 to extended IP access list 150:
Router(config)# ip access-list extended 150Router(config-std-nacl)# 25 deny ip host 172.16.3.3 host 192.168.5.34The following example removes the entry with the sequence number 25 from the standard access list example shown above:
Router(config-std-nacl)# no 25The following example sets a deny condition for a standard access list named filter2. The ACE specifies that a packet cannot pass the named access list if it contains the Strict Source Routing IP Option, which is represented by the IP Option value ssr.
Router(config)# ip access-list extended filter2Router(config-ext-nacl)# deny ip any any option ssrThe following example sets a deny condition for an extended access list named kmdfilter1. The ACE specifies that a packet cannot pass the named access list if the RST and FIN TCP flags have been set for that packet:
Router(config)# ip access-list extended kmdfilter1Router(config-std-nacl)# deny tcp any any match-any +rst +finRelated Commands
permit (IP)
To set conditions to allow a packet to pass a named IP access list, use the permit command in access list configuration mode. To remove a permit condition from an access list, use the no form of this command.
[sequence-number] permit source [source-wildcard]
[sequence-number] permit protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
no sequence-number
no permit source [source-wildcard]
no permit protocol source source-wildcard destination destination-wildcard [option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Internet Control Message Protocol (ICMP)
[sequence-number] permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Internet Group Management Protocol (IGMP)
[sequence-number] permit igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Transmission Control Protocol (TCP)
[sequence-number] permit tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established | {match-any | match-all} {+ | -} flag-name] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
User Datagram Protocol UDP)
[sequence-number] permit udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Syntax Description
sequence-number
(Optional) Sequence number assigned to the permit statement, causing the system to insert the statement in that numbered position in the access list.
source
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
•
•
•
source-wildcard
(Optional) Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:
•
•
•
protocol
Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword. Some protocols allow further qualifiers described later.
destination
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
•
•
•
destination-wildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
•
•
•
option option-value
(Optional) Packets can be filtered by IP Options, as specified by a number from 0 to 255, or by the corresponding IP Option name, as listed in the section "Usage Guidelines."
precedence precedence
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name.
tos tos
(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines" of the access-list (IP extended) command.
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information.
The logging facility may drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.
If you enable Cisco Express Forwarding (CEF) and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.
time-range time-range-name
(Optional) Name of the time range that applies to this permit statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.
fragments
(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.
icmp-type
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code
(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.
igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.
operator
(Optional) Compares source or destination ports. Operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard arguments, it must match the source port.
If the operator is positioned after the destination and destination-wildcard arguments, it must match the destination port.
The range operator requires two port numbers. All other operators require one port number.
port
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.
TCP port names can be used only when filtering TCP. UDP port names can be used only when filtering UDP.
established
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
Note
match-any
match-all(Optional) For the TCP protocol only: A match occurs if the TCP datagram has certain TCP flags set or not set. You use the match-any keyword to allow a match to occur if any of the specified TCP flags are present or you can use the match-all keyword to allow a match to occur only if all of the specified TCP flags are present. You must follow the match-any and match-all keywords with the + or - keyword and the flag-name argument.
+ - flag-name
(Optional) For the TCP protocol only: The "+" keyword matches IP packets if their TCP headers contains the TCP flags that are specified by the flag-name argument. The "-" keyword matches IP packets that do not contain the TCP flags specified by the flag-name argument. You must follow the "+" and "-" keywords with the flag-name argument. TCP flag names can be used only when filtering TCP. flag names for the TCP flags are as follows: urg, ack, psh, rst, syn, and fin.
Defaults
There are no specific conditions under which a packet passes the named access list.
Command Modes
Access list configuration
Command History
Usage Guidelines
Use this command following the ip access-list command to define the conditions under which a packet passes the access list.
The time-range keyword allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this permit statement is in effect.
Access List Filtering of IP Options
Access control lists can be used to filter packets with IP Options, to prevent routers from being saturated with spurious packets containing IP Options. To see a complete table of all IP Options, including ones currently not in use, refer to the latest Internet Assigned Numbers Authority (IANA) information that is available from their URL: www.iana.org.
Cisco IOS software allows you to filter packets on whether they contain one or more of the legitimate IP Options by entering either the IP Option value or the corresponding name for the ip-value argument as shown in Table 2:
Table 2 IP Option Values and Names
.
Filtering IP Packets Based on TCP Flags
The ACEs that comprise an access list can be configured to detect and drop unauthorized TCP packets by allowing only the packets that have very specific groups of TCP flags set or not set. Users can select any desired combination of TCP flags on which to filter TCP packets. Users can configure ACEs in order to allow matching on a flag set and on a flag not set. Use the + and - keywords with a flag name to specify that a match is made based on whether a TCP header flag has been set. Use the match-any and match-all keywords to allow the packet if any or all, respectively, of the flags specified by the + or - keyword and flag-name argument have been set or not set.
Access List Processing of Fragments
The behavior of access list entries regarding the use or lack of the fragments keyword can be summarized as follows:
Be aware that you should not add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword. The packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.
Note
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.
By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.
Examples
The following example sets conditions for a standard access list named Internetfilter:
ip access-list standard Internetfilterdeny 192.5.34.0 0.0.0.255permit 172.16.0.0 0.0.255.255permit 10.0.0.0 0.255.255.255! (Note: all other access implicitly denied)The following example permits Telnet traffic on Mondays, Tuesdays, and Fridays from 9:00 a.m. to 5:00 p.m.:
time-range testingperiodic Monday Tuesday Friday 9:00 to 17:00!ip access-list extended legalpermit tcp any any eq telnet time-range testing!interface ethernet 0ip access-group legal inThe following example sets a permit condition for a standard access list named filter2. The ACE specifies that a packet may pass the named access list only if it contains the NSAP Addresses IP Option, which is represented by the IP Option value nsapa.
Router(config)# ip access-list extended filter2Router(config-ext-nacl)# permit ip any any option nsapaThe following example sets a permit condition for an extended access list named kmdfilter1. The ACE specifies that a packet can pass the named access list only if the RST IP flag has been set for that packet:
Router(config)# ip access-list extended kmdfilter1Router(config-std-nacl)# permit tcp any any match-any +rstThe following example sets a permit condition for an extended access list named kmdfilter1. The ACE specifies that a packet can pass the named access list only if the RST and FIN TCP flags have been set for that packet:
Router(config)# ip access-list extended kmdfilter1Router(config-std-nacl)# permit tcp any any match-any +rst +finThe following example shows how to add an entry to an existing access list:
Router# show access-listStandard IP access list 12 permit 10.4.0.0, wildcard bits 0.0.255.2555 permit 10.0.0.0, wildcard bits 0.0.255.25510 permit 10.0.0.0, wildcard bits 0.0.255.25520 permit 10.0.0.0, wildcard bits 0.0.255.255Router(config)# ip access-list standard 1Router(config-std-nacl)# 15 permit 5.5.5.5 0.0.255.255The following examples shows how the entry with the sequence number of 20 is removed from the access list:
Router(config)# ip access-list standard 1Router(config-std-nacl)# no 20Router# show access-listStandard IP access list 110 permit 0.0.0.0, wildcard bits 0.0.0.25530 permit 0.0.0.0, wildcard bits 0.0.0.25540 permit 0.4.0.0, wildcard bits 0.0.0.255The following examples shows how, if a user tries to enter an entry that is a duplicate of an entry already on the list, no changes occur. The entry that the user is trying to add is a duplicate of the entry already in the access list with a sequence number of 20.
Router# show access-list 101Extended IP access list 10110 permit ip host 3.3.3.3 host 45.5.5.3420 permit icmp any any30 permit ip host 65.34.2.2 host 43.2.54.240 permit ip host 45.3.4.31 host 34.3.32.3 logRouter(config)# ip access-list extended 101Router(config-ext-nacl)# 100 permit icmp any anyRouter(config-ext-nacl)# endRouter# show access-list 101Extended IP access list 10110 permit ip host 3.3.3.3 host 45.5.5.3420 permit icmp any any30 permit ip host 65.34.2.2 host 43.2.54.240 permit ip host 45.3.4.31 host 34.3.32.3 logThe following example shows what occurs if a user tries to enter a new entry with a sequence number of 20 when an entry with a sequence number of 20 is already in the list. An error message appears, and no change is made to the access list.
Router# show access-list 101Extended IP access list 10110 permit ip host 3.3.3.3 host 45.5.5.3420 permit icmp any any30 permit ip host 65.34.2.2 host 43.2.54.240 permit ip host 45.3.4.31 host 34.3.32.3 logRouter(config)# ip access-list extended 101Router(config-ext-nacl)# 20 permit udp host 1.1.1.1 host 2.2.2.2Duplicate sequence number.Router(config-ext-nacl)# endRouter# show access-list 101Extended IP access list 10110 permit ip host 3.3.3.3 host 45.5.5.3420 permit icmp any any30 permit ip host 65.34.2.2 host 43.2.54.240 permit ip host 45.3.4.31 host 34.3.32.3 logRelated Commands
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
