The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
IP access lists provide many benefits for securing a network and achieving nonsecurity goals, such as determining quality of service (QoS) factors or limiting debug command output. This module describes how to create standard, extended, named, and numbered IP access lists. An access list can be referenced by a name or a number. Standard access lists filter on only the source address in IP packets. Extended access lists can filter on source address, destination address, and other fields in an IP packet.
After you create an access list, you must apply it to something in order for it to have any effect. This module describes how to apply an access list to an interface. However, there are many other uses for an access list, which are referenced in this module and described in other modules and in other configuration guides for various technologies.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
The following tips will help you avoid unintended consequences and help you create more efficient access lists.
You can include comments (remarks) about entries in a named IP access list. An access list remark is an optional comment before or after an access list entry that describes the entry for you at a glance, so you do not have to interpret the purpose of the entry by its command syntax. Each remark is limited to 100 characters.
The remark can go before or after a permit or deny statement. You should be consistent about where you put your remarks so that it is clear which remark describes which statement. It could be confusing to have some remarks before the associated permit or deny statements and some remarks after the associated statements.
The following example of a remark is a user-friendly description of what the subsequent deny statement does.
ip access-list extended telnetting remark Do not allow host1 subnet to telnet out deny tcp host 172.69.2.88 any eq telnet
Beyond the basic steps to create a standard or extended access list, you can enhance your access lists as mentioned below. Each of these methods is described completely in the module entitled " Refining an Access List. "
This section describes the general ways to create a standard or extended access list using either a name or a number. Access lists are very flexible; the tasks simply illustrate one permit command and one deny command to provide you the command syntax of each. Only you can determine how many permit and deny commands you need and their order.
Note |
The first two tasks in this module create an access list; you must apply the access list in order for it to function. If you want to apply the access list to an interface, perform the task "Applying the Access List to an Interface". |
If you want to filter on source address only, a standard access list is simple and sufficient. There are two alternative types of standard access list: named and numbered. Named access lists allow you to identify your access lists with a more intuitive name rather than a number, and they also support more features than numbered access lists.
Use a standard, named access list if you need to filter on source address only. This task illustrates one permit statement and one deny statement, but the actual statements you use and their order depend on what you want to filter or allow. Define your permit and deny statements in the order that achieves your filtering goals.
Configure a standard, numbered access list if you need to filter on source address only and you prefer not to use a named access list.
IP standard access lists are numbered 1 to 99 or 1300 to 1999. This task illustrates one permit statement and one deny statement, but the actual statements you use and their order depend on what you want to filter or allow. Define your permitand deny statements in the order that achieves your filtering goals.
If you want to filter on anything other than source address, you need to create an extended access list. There are two alternative types of extended access list: named and numbered. Named access lists allow you to identify your access lists with a more intuitive name rather than a number, and they also support more features.
For details on how to filter something other than source or destination address, see the syntax descriptions in the command reference documentation.
Create a named extended access list if you want to filter the source and destination address, or a combination of addresses and other IP fields.
Create a numbered extended access list if you want to filter on source and destination address, or a combination of addresses and other IP fields, and you prefer not to use a name. Extended IP access lists are numbered 100 to 199 or 2000 to 2699.
Perform this task to apply an access list to an interface.
In the following example, the workstation belonging to user1 is allowed access to gigabitethernet 0/0/0 and the workstation belonging to user2 is not allowed access:
interface gigabitethernet 0/0/0 ip access-group workstations in ! ip access-list standard workstations remark Permit only user1 workstation through permit 172.16.2.88 remark Do not allow user2 workstation through deny 172.16.3.13
In the following example, the user1 subnet is not allowed access to gigabitethernet interface 0/0/0, but the Main subnet is allowed access:
interface gigabitethernet 0/0/0 ip access-group prevention in ! ip access-list standard prevention remark Do not allow user1 subnet through deny 172.22.0.0 0.0.255.255 remark Allow Main subnet permit 172.25.0.0 0.0.255.255
The following configuration example shows an interface with two access lists, one applied to outgoing packets and one applied to incoming packets. The standard access list named Internet-filter filters outgoing packets on source address. The only packets allowed out the interface must be from source 172.16.3.4.
The extended access list named marketing-group filters incoming packets. The access list permits Telnet packets from any source to network 172.26.0.0 and denies all other TCP packets. It permits any ICMP packets. It denies UDP packets from any source to network 172.26.0 0 on port numbers less than 1024. Finally, the access list denies all other IP packets and performs logging of packets passed or denied by that entry.
interface gigabitethernet 0/0/0 ip address 172.20.5.1 255.255.255.0 ip access-group Internet-filter out ip access-group marketing-group in ! ip access-list standard Internet-filter permit 172.16.3.4 ip access-list extended marketing-group permit tcp any 172.26.0.0 0.0.255.255 eq telnet deny tcp any any permit icmp any any deny udp any 172.26.0.0 0.0.255.255 lt 1024 deny ip any any
In the following example, network 10.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is 255.255.0.0. The third and fourth octets of a network 10.0.0.0 address specify a particular host. Using access list 2, the Cisco IOS XE software would accept one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the software would accept addresses on all other network 10.0.0.0 subnets.
interface gigabitethernet 0/0/0 ip access-group 2 in ! access-list 2 permit 10.48.0.3 access-list 2 deny 10.48.0.0 0.0.255.255 access-list 2 permit 10.0.0.0 0.255.255.255
In the following example, the user1 subnet is not allowed to Telnet out of gigabitethernet interface 0/0/0:
interface gigabitethernet 0/0/0 ip access-group telnetting out ! ip access-list extended telnetting remark Do not allow user1 subnet to telnet out deny tcp 172.20.0.0 0.0.255.255 any eq telnet remark Allow Top subnet to telnet out permit tcp 172.33.0.0 0.0.255.255 any eq telnet
In the following example, the first line of the extended access list named acl1 permits any incoming TCP connections with destination ports greater than 1023. The second line permits incoming TCP connections to the Simple Mail Transfer Protocol (SMTP) port of host 172.28.1.2. The last line permits incoming ICMP messages for error feedback.
interface gigabitethernet 0/0/0 ip access-group acl1 in ! ip access-list extended acl1 permit tcp any 172.28.0.0 0.0.255.255 gt 1023 permit tcp any host 172.28.1.2 eq 25 permit icmp any 172.28.0.0 255.255.255.255
Suppose you have a network connected to the Internet, and you want any host on an Ethernet to be able to form TCP connections to any host on the Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on the gigabitethernet except to the mail (SMTP) port of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The same two port numbers are used throughout the life of the connection. Mail packets coming in from the Internet will have a destination port of 25. Outbound packets will have the port numbers reversed. The fact that the secure system behind the router always will accept mail connections on port 25 is what makes possible separate control of incoming and outgoing services. The access list can be configured on either the outbound or inbound interface.
In the following example, the gigabitethernet network is a Class B network with the address 172.18.0.0, and the address of the mail host is 172.18.1.2. The establishedkeyword is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection.
interface gigabitethernet 0/0/0 ip access-group 102 in ! access-list 102 permit tcp any 172.18.0.0 0.0.255.255 established access-list 102 permit tcp any host 172.18.1.2 eq 25
In the following example, the w11 and w2 workstations are not allowed web access; other hosts on network 172.20.0.0 are allowed web access:
interface gigabitethernet0/0/0 ip access-group no-web out ! ip access-list extended no-web remark Do not allow w1 to browse the web deny host 172.20.3.85 any eq http remark Do not allow w2 to browse the web deny host 172.20.3.13 any eq http remark Allow others on our network to browse the web permit 172.20.0.0 0.0.255.255 any eq http
The following example defines access lists 1 and 2, both of which have logging enabled:
interface gigabitethernet 0/0/0 ip address 172.16.1.1 255.0.0.0 ip access-group 1 in ip access-group 2 out ! access-list 1 permit 172.25.0.0 0.0.255.255 log access-list 1 deny 172.30.0.0 0.0.255.255 log ! access-list 2 permit 172.27.3.4 log access-list 2 deny 172.17.0.0 0.0.255.255 log
If the interface receives 10 packets from 172.25.7.7 and 14 packets from 172.17.23.21, the first log will look like the following:
list 1 permit 172.25.7.7 1 packet list 2 deny 172.17.23.21 1 packet
Five minutes later, the console will receive the following log:
list 1 permit 172.25.7.7 9 packets list 2 deny 172.17.23.21 13 packets
The following example configuration example uses an access list to limit the debug command output displayed. Limiting debug output narrows the volume of data to what you are interested in, saving you time and resources.
ip access-list acllist1
remark Displays only advertisements for LDP peer in acllist1
permit host 10.0.0.44
Router# debug mpls ldp advertisements peer-acl acllist1
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 172.17.0.33
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 172.16.0.31
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 172.22.0.33
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 192.168.0.1
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 192.168.0.3
tagcon: peer 10.0.0.44:0 (pp 0x60E105BC): advertise 192.168.1.33
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
Filtering on IP Options, TCP flags, or noncontiguous ports |
|
Controlling logging-related parameters |
http://www.cisco.com/web/about/security/intelligence/acl-logging.html |
Standard & RFC |
Title |
---|---|
No new or modified standards or RFCs are supported by this feature, and support for existing standards or RFCs has not been modified by this feature. |
-- |
MIB |
MIBs Link |
---|---|
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature. |
To locate and download MIBs for selected platforms, Cisco IOS XE software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for Creating IP Access Lists and Applying It to an Interface |
Feature Name |
Releases |
Feature Configuration Information |
---|---|---|
ACL--Access Control List Source and Destination Address Matching |
Cisco IOS XE Release 3.5S |
In the Cisco IOS XE 3.5S Release, support was added for the ASR 903 Router. |
ACL--ICMP Code |
Cisco IOS XE Release 3.5S |
In the Cisco IOS XE 3.5S Release, support was added for the ASR 903 Router. |
ACL Performance Enhancement |
Cisco IOS XE Release 2.1 |
This feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers. No commands were introduced or modified for this feature. |
Commented IP Access List Entries |
Cisco IOS XE Release 2.1 |
This feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers. No commands were introduced or modified for this feature. |
Standard IP Access List Logging |
Cisco IOS XE Release 2.1 |
This feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers. No commands were introduced or modified for this feature. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.