The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This module describes how to use an IP access list to filter IP packets that contain certain IP options, TCP flags, or noncontiguous ports.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
IP uses four key mechanisms in providing its service: Type of Service (ToS), Time to Live (TTL), options, and header checksum.
The options, commonly referred to as IP options, provide for control functions that are required in some situations but unnecessary for the most common communications. IP options include provisions for time stamps, security, and special routing.
IP options may or may not appear in datagrams. They must be implemented by all IP modules (host and gateways). What is optional is their transmission in any particular datagram, not their implementation. In some environments the security option may be required in all datagrams.
The option field is variable in length. There may be zero or more options. IP options can have one of two formats:
The option-length octet counts the option-type octet, the option-length octet, and the option-data octets.
The option-type octet is viewed as having three fields: a 1-bit copied flag, a 2-bit option class, and a 5-bit option number. These fields form an 8-bit value for the option type field. IP Options are commonly referred to by their 8-bit value.
For a complete list and description of IP Options, refer to RFC 791, Internet Protocol at the following URL: http://www.faqs.org/rfcs/rfc791.html
The ACL TCP Flags Filtering feature provides a flexible mechanism for filtering on TCP flags. Without this feature, when multiple flags are specified on the access control entry (ACE), the packet will be allowed if one of the flags is a match . This behavior allows for a security loophole, because packets with all flags set could get past the access control list (ACL). The ACL TCP Flags Filtering feature allows you to select any combination of flags on which to filter. The ability to match on a flag set and on a flag not set gives you a greater degree of control for filtering on TCP flags, thus enhancing security.
Because TCP packets can be sent as false synchronization packets that can be accepted by a listening port, it is recommended that administrators of firewall devices set up some filtering rules to drop false TCP packets.
The ACEs that make up an access list can be configured to detect and drop unauthorized TCP packets by allowing only the packets that have a very specific group of TCP flags set or not set. The ACL TCP Flags Filtering feature gives users a greater degree of packet-filtering control in the following ways:
The table below lists the TCP flags, which are further described in RFC 793, Transmission Control Protocol.
Table 1 | TCP Flags |
TCP Flag |
Purpose |
---|---|
ACK |
Acknowledge flag--Indicates that the acknowledgment field of a segment specifies the next sequence number the sender of this segment is expecting to receive. |
FIN |
Finish flag--Used to clear connections. |
PSH |
Push flag--Indicates the data in the call should be immediately pushed through to the receiving user. |
RST |
Reset flag--Indicates that the receiver should delete the connection without further interaction. |
SYN |
Synchronize flag--Used to establish connections. |
URG |
Urgent flag--Indicates that the urgent field is meaningful and must be added to the segment sequence number. |
This feature greatly reduces the number of ACEs required in an access control list to handle multiple entries for the same source address, destination address, and protocol. If you maintain large numbers of ACEs, we recommend that you use this feature to consolidate existing groups of access list entries wherever it is possible and also when you create new access list entries. When you configure access list entries with noncontiguous ports, you will have fewer access list entries to maintain.
The task in this section configures an access list to filter packets that contain IP options and verifies that the access list has been configured correctly.
Apply the access list to an interface or reference it from a command that accepts an access list.
Note |
To effectively eliminate all packets that contain IP Options, we recommend that you configure the global ip options drop command. |
The task in this section configures an access list to filter packets that contain TCP flags and verifies that the access list has been configured correctly.
Note |
|
Command or Action | Purpose | |||
---|---|---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode. |
||
|
Example: Router# configure terminal |
Enters global configuration mode. |
||
|
Example: Router(config)# ip access-list extended acl-extd-1 |
Specifies the IP access list by name and enters named access list configuration mode.
|
||
|
Example: Router(config-ext-nacl)# permit tcp any any match-any +rst |
Specifies a permit statement in named IP access list mode.
|
||
|
Example: Router(config-ext-nacl)# deny tcp any any match-all -ack -fin |
(Optional) Specifies a deny statement in named IP access list mode.
|
||
|
|
Allows you to revise the access list. |
||
|
Example: Router(config-ext-nacl)# end |
(Optional) Exits the configuration mode and returns to privileged EXEC mode. |
||
|
Example: Router# show ip access-lists kmd1 |
(Optional) Displays the contents of the IP access list. |
Apply the access list to an interface or reference it from a command that accepts an access list.
Perform this task to create access list entries that use noncontiguous TCP or UDP port numbers. Although this task uses TCP ports, you could use the UDP syntax of the permit and deny commands to filter noncontiguous UDP ports.
Although this task uses a permit command first, use the permit and deny commands in the order that achieves your filtering goals.
Note |
The ACL--Named ACL Support for Noncontiguous Ports on an Access Control Entry feature can be used only with named, extended ACLs. |
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode. |
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
Example: Router(config)# ip access-list extended acl-extd-1 |
Specifies the IP access list by name and enters named access list configuration mode. |
|
Example: Router(config-ext-nacl)# permit tcp any eq telnet ftp any eq 450 679 |
Specifies a permit statement in named IP access list configuration mode.
|
|
Example: Router(config-ext-nacl)# deny tcp any neq 45 565 632 |
(Optional) Specifies a deny statement in named access list configuration mode.
|
|
|
Allows you to revise the access list. |
|
Example: Router(config-ext-nacl)# end |
(Optional) Exits named access list configuration mode and returns to privileged EXEC mode. |
|
Example: Router# show ip access-lists kmd1 |
(Optional) Displays the contents of the access list. |
Perform this task to consolidate a group of access list entries with noncontiguous ports into one access list entry.
Although this task uses TCP ports, you could use the UDP syntax of the permit and deny commands to filter noncontiguous UDP ports.
Although this task uses a permit command first, use the permit and deny commands in the order that achieves your filtering goals.
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode. |
|
Example: Router# show ip access-lists mylist1 |
(Optional) Displays the contents of the IP access list. |
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
Example: Router(config)# ip access-list extended mylist1 |
Specifies the IP access list by name and enters named access list configuration mode. |
|
Example: Router(config-ext-nacl)# no 10 |
Removes the redundant access list entry that can be consolidated.
|
|
Example: Router(config-ext-nacl)# permit tcp any neq 45 565 632 any eq 23 45 34 43 |
Specifies a permit statement in named access list configuration mode. |
|
|
Allows you to revise the access list. |
|
Example: Router(config-std-nacl)# end |
(Optional) Exits named access list configuration mode and returns to privileged EXEC mode. |
|
Example: Router# show ip access-lists mylist1 |
(Optional) Displays the contents of the access list. |
Apply the access list to an interface or reference it from a command that accepts an access list.
The following example shows an extended access list named mylist2 that contains access list entries (ACEs) that are configured to permit TCP packets only if they contain the IP Options that are specified in the ACEs:
ip access-list extended mylist2 10 permit ip any any option eool 20 permit ip any any option record-route 30 permit ip any any option zsu 40 permit ip any any option mtup
The show access-list command has been entered to show how many packets were matched and therefore permitted:
Router# show ip access-list mylist2
Extended IP access list test
10 permit ip any any option eool (1 match)
20 permit ip any any option record-route (1 match)
30 permit ip any any option zsu (1 match)
40 permit ip any any option mtup (1 match)
The following access list allows TCP packets only if the TCP flags ACK and SYN are set and the FIN flag is not set:
ip access-list extended aaa permit tcp any any match-all +ack +syn -fin end
The show access-list command has been entered to display the ACL:
Router# show access-list aaa
Extended IP access list aaa
10 permit tcp any any match-all +ack +syn -fin
The following access list entry can be created because up to ten ports can be entered after the eq and neq operators:
ip access-list extended aaa permit tcp any eq telnet ftp any eq 23 45 34 end
Enter the show access-lists command to display the newly created access list entry.
Router# show access-lists aaa
Extended IP access list aaa
10 permit tcp any eq telnet ftp any eq 23 45 34
The show access-lists command is used to display a group of access list entries for the access list named abc:
Router# show access-lists abc
Extended IP access list abc
10 permit tcp any eq telnet any eq 450
20 permit tcp any eq telnet any eq 679
30 permit tcp any eq ftp any eq 450
40 permit tcp any eq ftp any eq 679
Because the entries are all for the same permit statement and simply show different ports, they can be consolidated into one new access list entry. The following example shows the removal of the redundant access list entries and the creation of a new access list entry that consolidates the previously displayed group of access list entries:
ip access-list extended abc no 10 no 20 no 30 no 40 permit tcp any eq telnet ftp any eq 450 679 end
When the show access-lists command is reentered, the consolidated access list entry is displayed:
Router# show access-lists abc
Extended IP access list abc
10 permit tcp any eq telnet ftp any eq 450 679
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
Configuring the router to drop or ignore packets containing IP Options by using the no ip options command. |
"ACL IP Options Selective Drop" module |
QoS commands |
Standard & RFC |
Title |
---|---|
RFC 791 |
|
RFC 793 |
Transmission Control Protocol |
RFC 1393 |
Traceroute Using an IP Option |
MIB |
MIBs Link |
---|---|
None |
To locate and download MIBs for selected platforms, Cisco IOS XE releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 2 | Feature Information for Creating an IP Access List for Filtering |
Feature Name |
Releases |
Feature Configuration Information |
---|---|---|
ACL--DHCP Matching |
Cisco IOS XE Release 3.5S |
In Cisco IOS XE Release 3.5S, support was added for the Cisco ASR 903 Router. |
ACL--Named ACL Support for Noncontiguous Ports on an Access Control Entry |
Cisco IOS XE Release 2.1 |
This feature allows you to specify noncontiguous ports in a single access control entry, which greatly reduces the number of entries required in an access control list when several entries have the same source address, destination address, and protocol, but differ only in the ports. No commands were introduced or modified for this feature. |
ACL Support for Filtering IP Options |
Cisco IOS XE Release 2.1 |
This feature allows you to filter packets having IP options, in order to prevent routers from becoming saturated with spurious packets. No commands were introduced or modified for this feature. |
ACL TCP Flags Filtering |
Cisco IOS XE Release 2.1 |
This feature provides a flexible mechanism for filtering on TCP flags. It allows you to select any combination of flags on which to filter. The ability to match on a flag set and on a flag not set gives you a greater degree of control for filtering on TCP flags, thus enhancing security. No commands were introduced or modified for this feature. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.