Software Configuration Guide, Cisco IOS Release 15.2(6)E (Catalyst Digital Building Series Switches)
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Access control lists (ACLs) perform packet filtering to control which packets move through the network and where. Such control
provides security by helping to limit network traffic, restrict the access of users and devices to the network, and prevent
traffic from leaving a network. IP access lists can reduce the chance of spoofing and denial-of-service attacks and allow
dynamic, temporary user access through a firewall.
IP access lists can also be used for purposes other than security, such as bandwidth control, limiting debug output, and
identifying or classifying traffic for quality of service (QoS) features. This module provides an overview of IP access lists.
Finding Feature
Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information,
see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented
in this module, and to see a list of the releases in which each feature is supported, see the feature information table at
the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature
Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for
Configuring IPv4 Access Control Lists
General Network
Security
The following are
restrictions for configuring network security with ACLs:
Router ACL and VLAN ACLs are not supported.
Not all commands that accept a numbered ACL accept a named ACL. ACLs for packet filters and route filters on interfaces can
use a name.
A standard ACL and an extended ACL cannot have the same name.
Though visible in the command-line help strings, AppleTalk is not supported as a matching condition for the deny and permit MAC access-list configuration mode commands.
ACL wild card is not supported in downstream client policy.
Per ASIC, 8 TCP port comparators and 8 UDP port comparators are supported, and each gt (greater than)/lt (less than)/neq (not
equal) operator uses 1 port comparator, and each range operator uses 2 port comparators.
IPv4 ACL Network
Interfaces
The following
restrictions apply to IPv4 ACLs to network interfaces:
When controlling access to an interface, you can use a named or numbered ACL.
If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch, the ACL only filters packets that are
intended for the CPU, such as SNMP, Telnet, or web traffic.
You do not have to enable routing to apply ACLs to Layer 2 interfaces.
On Layer 3 ports and SVIs, ACLs are not supported.
MAC ACLs on a
Layer 2 Interface
After you create a MAC ACL, you can
apply it to a Layer 2 interface to filter non-IP traffic coming in that
interface. When you apply the MAC ACL, consider these guidelines:
You can apply no more than
one IP access list and one MAC access list to the same Layer 2 interface. The
IP access list filters only IP packets, and the MAC access list filters non-IP
packets.
A Layer 2 interface can have
only one MAC access list. If you apply a MAC access list to a Layer 2 interface
that has a MAC ACL configured, the new ACL replaces the previously configured
one.
Note
The
mac
access-group interface configuration command is only valid when
applied to a physical Layer 2 interface. You cannot use the command on
EtherChannel port channels.
IP Access List
Entry Sequence Numbering
This feature does not support dynamic, reflexive, or firewall access lists.
Information About Configuring IPv4 Access Control Lists
ACL Overview
Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs filter traffic
as it passes through a router or switch and permit or deny packets crossing specified interfaces or VLANs. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet is received on an interface,
the switch compares the fields in the packet against any applied ACLs to verify that the packet has the required permissions
to be forwarded, based on the criteria specified in the access lists. One by one, it tests packets against the conditions
in an access list. The first match decides whether the switch accepts or rejects the packets. Because the switch stops testing
after the first match, the order of conditions in the list is critical. If no conditions match, the switch rejects the packet.
If there are no restrictions, the switch forwards the packet; otherwise, the switch drops the packet. The switch can use ACLs
on all packets it forwards, including packets bridged within a VLAN.
You configure access lists on a router to provide basic security for your network. If you do not configure ACLs, all packets
passing through the switch could be allowed onto all parts of the network. You can use ACLs to control which hosts can access
different parts of a network or to decide which types of traffic are forwarded or blocked at router interfaces. For example,
you can allow e-mail traffic to be forwarded but not Telnet traffic. ACLs can be configured to block inbound traffic, outbound traffic, or both.
Standard and Extended IPv4 ACLs
This section describes IP ACLs.
An ACL is a sequential collection of permit and deny conditions. One by one, the switch tests packets against the conditions
in an access list. The first match determines whether the switch accepts or rejects the packet. Because the switch stops testing
after the first match, the order of the conditions is critical. If no conditions match, the switch denies the packet.
The software supports these types of ACLs or access lists for IPv4:
Standard IP access lists use source addresses for matching operations.
Extended IP access lists use source and destination addresses for matching operations and optional protocol-type information
for finer granularity of control.
IPv4 ACL Switch Unsupported Features
Configuring IPv4 ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers.
The following ACL-related features are not supported:
Non-IP protocol ACLs or bridge-group ACLs
IP accounting
Inbound and outbound rate limiting (except with QoS ACLs)
Reflexive ACLs, URL Redirect ACLs, and Dynamic ACLs are not supported (except for some specialized dynamic ACLs used by the switch clustering feature)
ACL logging for VLAN maps
Access List Numbers
The number you use to denote your ACL shows the type of access list that you are creating.
This
lists the access-list number and corresponding access list type and shows whether or not they are supported in the switch.
The switch supports IPv4 standard and extended access lists, numbers 1 to 199 and 1300 to 2699.
Table 1. Access List Numbers
Access List Number
Type
Supported
1–99
IP standard access list
Yes
100–199
IP extended access list
Yes
200–299
Protocol type-code access list
No
300–399
DECnet access list
No
400–499
XNS standard access list
No
500–599
XNS extended access list
No
600–699
AppleTalk access list
No
700–799
48-bit MAC address access list
No
800–899
IPX standard access list
No
900–999
IPX extended access list
No
1000–1099
IPX SAP access list
No
1100–1199
Extended 48-bit MAC address access list
No
1200–1299
IPX summary address access list
No
1300–1999
IP standard access list (expanded range)
Yes
2000–2699
IP extended access list (expanded range)
Yes
In addition to numbered standard and extended ACLs, you can also create standard and extended named IP ACLs by using the supported
numbers. That is, the name of a standard IP ACL can be 1 to 99; the name of an extended IP ACL can be 100 to 199. The advantage
of using named ACLs instead of numbered lists is that you can delete individual entries from a named list.
Numbered Standard
IPv4 ACLs
When creating an ACL, remember that,
by default, the end of the ACL contains an implicit deny statement for all
packets that it did not find a match for before reaching the end. With standard
access lists, if you omit the mask from an associated IP host address ACL
specification, 0.0.0.0 is assumed to be the mask.
The switch always rewrites
the order of standard access lists so that entries with
host matches and entries with matches having a
don’t care mask of
0.0.0.0 are moved to the top of the list, above any entries with non-zero
don’t care masks.
Therefore, in
show command output and in the configuration file,
the ACEs do not necessarily appear in the order in which they were entered.
Numbered Extended
IPv4 ACLs
Although standard ACLs use
only source addresses for matching, you can use extended ACL source and
destination addresses for matching operations and optional protocol type
information for finer granularity of control. When you are creating ACEs in
numbered extended access lists, remember that after you create the ACL, any
additions are placed at the end of the list. You cannot reorder the list or
selectively add or remove ACEs from a numbered list.
The switch does not support
dynamic or reflexive access lists. It also does not support filtering based on
the type of service (ToS) minimize-monetary-cost bit.
Some protocols also have
specific parameters and keywords that apply to that protocol.
You can define an extended
TCP, UDP, ICMP, IGMP, or other IP ACL. The switch also supports these IP
protocols:
Note
ICMP echo-reply cannot be filtered. All other ICMP codes or types can be filtered.
You can identify IPv4 ACLs with an
alphanumeric string (a name) rather than a number. You can use named ACLs to
configure more IPv4 access lists in a router than if you were to use numbered
access lists. If you identify your access list with a name rather than a
number, the mode and command syntax are slightly different. However, not all
commands that use IP access lists accept a named access list.
Note
The name you give to a
standard or extended ACL can also be a number in the supported range of access
list numbers. That is, the name of a standard IP ACL can be 1 to 99 and
. The advantage of using named ACLs instead of
numbered lists is that you can delete individual entries from a named list.
Consider these guidelines
before configuring named ACLs:
Numbered ACLs are also
available.
A standard ACL and
an extended ACL cannot have the same name.
You can use standard or extended ACLs (named or numbered) in VLAN maps.
Benefits of Using the Named
ACL Support for Noncontiguous Ports on an Access Control Entry Feature
The Named ACL Support for Noncontiguous Ports on an Access Control Entry
feature allows you to specify noncontiguous ports in a single access control
entry, which greatly reduces the number of entries required in an access
control list when several entries have the same source address, destination
address, and protocol, but differ only in the ports.
This feature greatly
reduces the number of access control entries (ACEs) required in an access
control list to handle multiple entries for the same source address,
destination address, and protocol. If you maintain large numbers of ACEs, use
this feature to consolidate existing groups of access list entries wherever it
is possible and when you create new access list entries. When you configure
access list entries with noncontiguous ports, you will have fewer access list
entries to maintain.
Benefits of IP Access List
Entry Sequence Numbering
The ability to apply
sequence numbers to IP access list entries simplifies access list changes.
Prior to the IP Access List Entry Sequence Numbering feature, there was no way
to specify the position of an entry within an access list. If a user wanted to
insert an entry (statement) in the middle of an existing list, all of the
entries after the desired position had to be removed, then the new entry was
added, and then all the removed entries had to be reentered. This method was
cumbersome and error prone.
This feature allows
users to add sequence numbers to access list entries and resequence them. When
a user adds a new entry, the user chooses the sequence number so that it is in
a desired position in the access list. If necessary, entries currently in the
access list can be resequenced to create room to insert the new entry.
Sequence Numbering Behavior
For backward compatibility with previous releases, if entries with no sequence numbers are applied, the first entry is assigned
a sequence number of 10, and successive entries are incremented by 10. The maximum sequence number is 2147483647. If the generated
sequence number exceeds this maximum number, the following message is displayed:
Exceeded maximum sequence number.
If the user enters an entry without a sequence number, it is assigned a sequence number that is 10 greater than the last sequence
number in that access list and is placed at the end of the list.
If the user enters an entry that matches an already existing entry (except for the sequence number), then no changes are made.
If the user enters a sequence number that is already present, the following error message is generated:
Duplicate sequence number.
If a new access list is entered from global configuration mode, then sequence numbers for that access list are generated automatically.
Distributed support is provided so that the sequence numbers of entries in the Route Processor (RP) and line card are in synchronization
at all times.
Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the event that the system is
reloaded, the configured sequence numbers revert to the default sequence starting number and increment. The function is provided
for backward compatibility with software releases that do not support sequence numbering.
This feature works with named and numbered, standard and extended IP access lists.
Including comments
in ACLs
You can use the
remark keyword to include comments (remarks) about
entries in any IP standard or extended ACL. The remarks make the ACL easier for
you to understand and scan. Each remark line is limited to 100 characters.
The remark can go before or
after a permit or deny statement. You should be consistent about where you put
the remark so that it is clear which remark describes which permit or deny
statement. For example, it would be confusing to have some remarks before the
associated permit or deny statements and some remarks after the associated
statements.
To include a comment for IP
numbered standard or extended ACLs, use the
access-listaccess-list numberremarkremark global
configuration command. To remove the remark, use the
no form of this command.
The following is an example of a remark that describes function of the
subsequent deny statement:
ip access-list extended telnetting
remark Do not allow host1 subnet to telnet out
deny tcp host 172.16.2.88 any eq telnet
Hardware and Software Treatment of IP ACLs
ACL processing is performed at the hardware side. If the hardware reaches its capacity to store ACL configurations, the packets
are sent to the CPU, where ACL is processed at the software side. When sent for software ACL, the data packets are not sent
at the line rate; instead, they are sent at a very low rate via rate limiting.
Note
If an ACL configuration cannot be implemented in hardware due to an out-of-resource condition on a switch, then only the traffic
in that VLAN arriving on that switch is affected. Software forwarding of packets might adversely impact the performance of the switch, depending on the number of CPU cycles
that this consumes.
When traffic flows are both logged and forwarded, forwarding is done by hardware, but logging must be done by software. Because
of the difference in packet handling capacity between hardware and software, if the sum of all flows being logged (both permitted
flows and denied flows) is of great enough bandwidth, not all of the packets that are forwarded can be logged.
When you enter the show ip access-lists privileged EXEC command, the match count displayed does not account for packets that are access controlled in hardware. ACLs
function as follows:
The hardware controls permit and deny actions of standard and extended ACLs (input and output) for security access control.
If log has not been specified, the flows that match a deny statement in a security ACL are dropped by the hardware if ip unreachables is disabled. The flows matching a permit statement are switched in hardware.
Adding the log keyword to an ACE in an ACL causes a copy of the packet to be sent to the CPU for logging only. If the ACE is a permit statement, the packet is still switched in hardware.
Time Ranges for
ACLs
You can selectively apply extended ACLs based on the time of
day and the week by using the
time-range
global configuration command. First, define a time-range name and set the times
and the dates or the days of the week in the time range. Then enter the
time-range name when applying an ACL to set restrictions to the access list.
You can use the time range to define when the permit or deny statements in the
ACL are in effect, for example, during a specified time period or on specified
days of the week. The
time-range
keyword and argument are referenced in the named and numbered extended ACL task
tables.
These are some benefits of using time ranges:
You have more control over permitting or denying a user access to resources, such as an application (identified by an IP address/mask
pair and a port number).
You can control logging messages. ACL entries can be set to log traffic only at certain times of the day. Therefore, you can
simply deny access without needing to analyze many logs generated during peak hours.
Time-based access lists
trigger CPU activity because the new configuration of the access list must be
merged with other features and the combined configuration loaded into the
hardware memory. For this reason, you should be careful not to have several
access lists configured to take affect in close succession (within a small
number of minutes of each other.)
Note
The time range relies on the
switch system clock; therefore, you need a reliable clock source. We recommend
that you use Network Time Protocol (NTP) to synchronize the switch clock.
IPv4 ACL Interface Considerations
When you apply the ip access-group interface configuration command to a Layer 3 interface (an SVI, a Layer 3 EtherChannel, or a routed port), the interface
must have been configured with an IP address. Layer 3 access groups filter packets that are routed or are received by Layer
3 processes on the CPU. They do not affect packets bridged within a VLAN.
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL permits the packet, the
switch continues to process the packet. If the ACL rejects the packet, the switch discards the packet.
For outbound ACLs, after receiving and routing a packet to a controlled interface, the switch checks the packet against the
ACL. If the ACL permits the packet, the switch sends the packet. If the ACL rejects the packet, the switch discards the packet.
When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied to the interface and permits
all packets. Remember this behavior if you use undefined ACLs for network security.
Apply an Access Control List to an Interface
With some protocols, you can apply up to two access lists to an interface: one inbound access list and one outbound access
list. With other protocols, you apply only one access list that checks both inbound and outbound packets.
If the access list is inbound, when a device receives a packet, Cisco software checks the access list’s criteria statements
for a match. If the packet is permitted, the software continues to process the packet. If the packet is denied, the software
discards the packet.
If the access list is outbound, after receiving and routing a packet to the outbound interface, Cisco software checks the
access list’s criteria statements for a match. If the packet is permitted, the software transmits the packet. If the packet
is denied, the software discards the packet.
Note
Access lists that are applied to interfaces on a device do not filter traffic that originates from that device.
The figure above shows that Device 2 is a bypass device that is connected to Device 1 and Device 3. An outbound access list
is applied to Gigabit Ethernet interface 0/0/0 on Device 1. When you ping Device 3 from Device 1, the access list does not
check for packets going outbound because the traffic is locally generated.
The access list check is bypassed for locally generated packets, which are always outbound.
By default, an access list that is applied to an outbound interface for matching locally generated traffic will bypass the
outbound access list check; but transit traffic is subjected to the outbound access list check.
Note
The behavior described above applies to all single-CPU platforms that run Cisco software.
ACL Logging
The switch software can provide logging messages about packets permitted or denied by a standard IP access list. That is,
any packet that matches the ACL causes an informational logging message about the packet to be sent to the console. The level
of messages logged to the console is controlled by the logging console commands controlling the syslog messages.
Note
ACL logging is only supported for RACL.
Note
Because routing is done in
hardware and logging is done in software, if a large number of packets match a
permit or
deny ACE containing a
log keyword,
the software might not be able to match the hardware processing rate, and not
all packets will be logged.
The first packet that
triggers the ACL causes a logging message right away, and subsequent packets
are collected over 5-minute intervals before they appear or logged. The logging
message includes the access list number, whether the packet was permitted or
denied, the source IP address of the packet, and the number of packets from
that source permitted or denied in the prior 5-minute interval.
Note
The logging
facility might drop some logging message packets if there are too many to be
handled or if there is more than one logging message to be handled in 1 second.
This behavior prevents the router from crashing due to too many logging
packets. Therefore, the logging facility should not be used as a billing tool
or an accurate source of the number of matches to an access list.
How to Configure ACLs
Configuring IPv4 ACLs
Follow the procedure given below to use IP ACLs on the switch:
SUMMARY STEPS
Create an ACL by specifying
an access list number or name and the access conditions.
Apply the ACL to interfaces.
DETAILED STEPS
Step 1
Create an ACL by specifying
an access list number or name and the access conditions.
Step 2
Apply the ACL to interfaces.
Creating a Numbered Standard ACL
Follow these steps to create
a numbered standard ACL:
Device(config)# access-list 101 permit ip host 10.1.1.2 any precedence 0 tos 0 log
Defines an
extended IPv4 access list and the access conditions.
The access-list-number is a decimal number from 100 to 199 or
2000 to 2699.
Enter
deny or
permit to specify whether to deny or permit the
packet if conditions are matched.
For
protocol, enter the name or number of an P
protocol:
ahp,
eigrp,
esp,
gre,
icmp,
igmp,
igrp,
ip,
ipinip,
nos,
ospf,
pcp,
pim,
tcp, or
udp, or an integer in the range 0 to 255
representing an IP protocol number. To match any Internet protocol (including
ICMP, TCP, and UDP), use the keyword
ip.
Note
This step
includes options for most IP protocols. For additional specific parameters for
TCP, UDP, ICMP, and IGMP, see the following steps.
The
source is the number of the network or host from
which the packet is sent.
The
source-wildcard applies wildcard bits to the
source.
The
destination is the network or host number to which
the packet is sent.
The
destination-wildcard applies wildcard bits to the
destination.
Source,
source-wildcard, destination, and destination-wildcard can be specified as:
The 32-bit
quantity in dotted-decimal format.
The keyword
any for 0.0.0.0 255.255.255.255 (any host).
The keyword
host for a single host 0.0.0.0.
The other
keywords are optional and have these meanings:
precedence—Enter to match packets with a
precedence level specified as a number from 0 to 7 or by name:
routine (0),
priority (1),
immediate (2),
flash (3),
flash-override (4),
critical (5),
internet (6),
network (7).
fragments—Enter to check non-initial fragments.
tos—Enter to match by type of service level,
specified by a number from 0 to 15 or a name:
normal (0),
max-reliability (2),
max-throughput (4),
min-delay (8).
log—Enter to create an informational logging
message to be sent to the console about the packet that matches the entry or
log-input to include the input interface in the
log entry.
time-range—Specify the time-range name.
dscp—Enter to match packets with the DSCP value
specified by a number from 0 to 63, or use the question mark (?) to see a list
of available values.
Note
If you enter
a
dscp value, you cannot enter
tos or
precedence. You can enter both a
tos and a
precedence value with no
dscp.
Device(config)# access-list 101 permit tcp any any eq 500
Defines an extended TCP access list and the access conditions.
The parameters are the same as those described for an extended IPv4 ACL, with these exceptions:
(Optional) Enter an operator and port to compare source (if positioned after source source-wildcard) or destination (if positioned after destination destination-wildcard) port. Possible operators include eq (equal), gt (greater than), lt (less than), neq (not equal), and range (inclusive range). Operators require a port number (range requires two port numbers separated by a space).
Enter the port number as a decimal number (from 0 to 65535) or the name of a TCP port. Use only TCP port numbers or names when filtering
TCP.
The other optional keywords have these meanings:
established—Enter to match an established connection. This has the same function as matching on the ack or rst flag.
flag—Enter one of these flags to match by the specified TCP header bits: ack (acknowledge), fin (finish), psh (push), rst (reset), syn (synchronize), or urg (urgent).
Device(config)# access-list 101 permit udp any any eq 100
(Optional)
Defines an extended UDP access list and the access conditions.
The UDP parameters are the same as those described for TCP except that the [operator [port]] port number or name must be a
UDP port number or name, and the flag keyword isand established keywords are not valid for UDP.
Device(config)# access-list 101 permit icmp any any 200
Defines an
extended ICMP access list and the access conditions.
The ICMP
parameters are the same as those described for most IP protocols in an extended
IPv4 ACL, with the addition of the ICMP message type and code parameters. These
optional keywords have these meanings:
icmp-type—Enter to filter by ICMP message type, a number
from 0 to 255.
icmp-code—Enter to filter ICMP packets that are filtered by
the ICMP message code type, a number from 0 to 255.
icmp-message—Enter to filter ICMP packets by the ICMP
message type name or the ICMP message type and code name.
In access-list configuration mode, specify the conditions allowed or denied. Use the log keyword to get access list logging messages, including violations.
hostsource—A source and source wildcard of source 0.0.0.0.
hostdestintation—A destination and destination wildcard of destination 0.0.0.0.
any—A source and source wildcard or destination and destination wildcard of 0.0.0.0 255.255.255.255.
Step 5
end
Example:
Device(config-ext-nacl)# end
Returns to
privileged EXEC mode.
Step 6
show running-config
Example:
Device# show running-config
Verifies your
entries.
Step 7
copy running-config
startup-config
Example:
Device# copy running-config startup-config
(Optional) Saves
your entries in the configuration file.
When you are creating extended ACLs,
remember that, by default, the end of the ACL contains an implicit deny
statement for everything if it did not find a match before reaching the end.
For standard ACLs, if you omit the mask from an associated IP host address
access list specification, 0.0.0.0 is assumed to be the mask.
After you create an ACL, any
additions are placed at the end of the list. You cannot selectively add ACL
entries to a specific ACL. However, you can use
no permit and
no deny access-list configuration mode commands to
remove entries from a named ACL.
Being able to selectively
remove lines from a named ACL is one reason you might use named ACLs instead of
numbered ACLs.
What to do next
After creating a named ACL, you can apply it to interfaces.
Sequencing Access-List
Entries and Revising the Access List
This task shows how
to assign sequence numbers to entries in a named IP access list and how to add
or delete an entry to or from an access list. When completing this task, keep
the following points in mind:
Resequencing
the access list entries is optional. The resequencing step in this task is
shown as required because that is one purpose of this feature and this task
demonstrates that functionality.
In the following
procedure, the
permit command
is shown in Step 5 and the
deny command is
shown in Step 6. However, that order can be reversed. Use the order that suits
the need of your configuration.
Specifies a
permit statement in named IP access list mode.
This
access list happens to use a
permit
statement first, but a
deny
statement could appear first, depending on the order of statements you need.
As the
prompt indicates, this access list was a standard access list. If you had
specified
extended in
Step 4, the prompt for this step would be Device(config-ext-nacl) and you would
use the extended
permit
command syntax.
(Optional)
Specifies a deny statement in named IP access list mode.
This
access list uses a
permit
statement first, but a
deny
statement could appear first, depending on the order of statements you need.
As the
prompt indicates, this access list was a standard access list. If you had
specified
extended in
Step 4, the prompt for this step would be Device(config-ext-nacl) and you would
use the extended
deny command
syntax.
(Optional) Specifies a deny statement in named IP access list
mode.
This access list happens to use a
permitstatement first, but a
deny statement could appear first,
depending on the order of statements you need.
See the deny (IP) command for additional command syntax to
permit upper layer protocols (ICMP, IGMP, TCP, and UDP).
Use the
nosequence-number command to delete an
entry.
Step 9
Repeat Step 5
and/or Step 6 to add sequence number statements, as applicable.
Allows you to
revise the access list.
Step 10
end
Example:
Device(config-std-nacl)# end
(Optional)
Exits the configuration mode and returns to privileged EXEC mode.
Step 11
showipaccess-listsaccess-list-name
Example:
Device# show ip access-lists kmd1
(Optional)
Displays the contents of the IP access list.
Examples
Review the output
of the
showipaccess-lists command to see that the access list
includes the new entries:
Device# show ip access-lists kmd1
Standard IP access list kmd1
100 permit 10.4.4.0, wildcard bits 0.0.0.255
105 permit 10.5.5.0, wildcard bits 0.0.0.255
115 permit 10.0.0.0, wildcard bits 0.0.0.255
130 permit 10.5.5.0, wildcard bits 0.0.0.255
145 permit 10.0.0.0, wildcard bits 0.0.0.255
Configuring Commented IP ACL
Entries
Either use a named
or numbered access list configuration. You must apply the access list to an
interface or terminal line after the access list is created for the
configuration to work.
SUMMARY STEPS
enable
configure
terminal
ip
access-list
{standard
|
extended} {name |
number}
remark
remark
deny
protocol
host
host-address
any
eq
port
end
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Device> enable
Enables
privileged EXEC mode.
Enter your
password if prompted.
Step 2
configure
terminal
Example:
Device# configure terminal
Enters global
configuration mode.
Step 3
ip
access-list
{standard
|
extended} {name |
number}
Example:
Device(config)# ip access-list extended telnetting
Identifies the
access list by a name or number and enters extended named access list
configuration mode.
Step 4
remark
remark
Example:
Device(config-ext-nacl)# remark Do not allow host1 subnet to telnet out
Adds a remark
for an entry in a named IP access list.
The remark
indicates the purpose of the
permit
or
deny
statement.
Step 5
deny
protocol
host
host-address
any
eq
port
Example:
Device(config-ext-nacl)# deny tcp host 172.16.2.88 any eq telnet
Sets conditions
in a named IP access list that denies packets.
Step 6
end
Example:
Device(config-ext-nacl)# end
Exits extended
named access list configuration mode and enters privileged EXEC mode.
Configuring Time Ranges for ACLs
Follow these steps to
configure a time-range parameter for an ACL:
periodic {weekdays |
weekend |
daily}
hh:mm to hh:mm
end
show running-config
copy running-config
startup-config
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Device(config)# enable
Enables privileged
EXEC mode. Enter your password if prompted.
Step 2
configureterminal
Example:
Device# configure terminal
Enters global configuration mode.
Step 3
time-rangetime-range-name
Example:
Device(config)# time-range workhours
Assigns a
meaningful name (for example,
workhours) to the time
range to be created, and enter time-range configuration mode. The name cannot
contain a space or quotation mark and must begin with a letter.
periodic {weekdays |
weekend |
daily}
hh:mm to hh:mm
Example:
Device(config-time-range)# absolute start 00:00 1 Jan 2006 end 23:59 1 Jan 2006
or
Device(config-time-range)# periodic weekdays 8:00 to 12:00
Specifies when
the function it will be applied to is operational.
You can use only
one
absolute statement in the time range. If you
configure more than one absolute statement, only the one configured last is
executed.
You can enter
multiple
periodic statements. For example, you could
configure different hours for weekdays and weekends.
See the example
configurations.
Step 5
end
Example:
Device(config)# end
Returns to
privileged EXEC mode.
Step 6
show running-config
Example:
Device# show running-config
Verifies your
entries.
Step 7
copy running-config
startup-config
Example:
Device# copy running-config startup-config
(Optional) Saves
your entries in the configuration file.
What to do next
Repeat the steps if you have
multiple items that you want in effect at different times.
Applying an IPv4 ACL to a Terminal Line
You can use numbered ACLs to
control access to one or more terminal lines. You cannot apply named ACLs to
lines. You must set identical restrictions on all the virtual terminal lines
because a user can attempt to connect to any of them.
Follow these steps to
restrict incoming and outgoing connections between a virtual terminal line and
the addresses in an ACL:
SUMMARY STEPS
enable
configureterminal
line [console |
vty]
line-number
access-classaccess-list-number {in | out}
end
show running-config
copy running-config
startup-config
DETAILED STEPS
Command or Action
Purpose
Step 1
enable
Example:
Device(config)# enable
Enables privileged
EXEC mode. Enter your password if prompted.
Step 2
configureterminal
Example:
Device# configure terminal
Enters global configuration mode.
Step 3
line [console |
vty]
line-number
Example:
Device(config)# line console 0
Identifies a
specific line to configure, and enter in-line configuration mode.
console—Specifies the console terminal line. The console
port is DCE.
vty—Specifies a virtual terminal for remote console access.
The
line-number is
the first line number in a contiguous group that you want to configure when the
line type is specified. The range is from 0 to 16.
Step 4
access-classaccess-list-number {in | out}
Example:
Device(config-line)# access-class 10 in
Restricts incoming and outgoing connections between a particular virtual terminal line (into a device) and the addresses in an access list.
Step 5
end
Example:
Device(config-line)# end
Returns to
privileged EXEC mode.
Step 6
show running-config
Example:
Device# show running-config
Verifies your
entries.
Step 7
copy running-config
startup-config
Example:
Device# copy running-config startup-config
(Optional) Saves
your entries in the configuration file.
Applying an IPv4 ACL to an Interface (CLI)
This section describes how to
apply IPv4 ACLs to network interfaces.
Beginning in privileged EXEC mode, follow the procedure given below to control access to an interface:
Identifies a specific interface for configuration, and enter interface configuration mode.
The interface can be a Layer 2 interface (port ACL).
Step 3
ip access-group {access-list-number | name} {in}
Example:
Device(config-if)# ip access-group 2 in
Controls access to the specified interface.
Step 4
end
Example:
Device(config-if)# end
Returns to privileged EXEC mode.
Step 5
show running-config
Example:
Device# show running-config
Displays the access list configuration.
Step 6
copy running-config startup-config
Example:
Device# copy running-config startup-config
(Optional) Saves your entries in the configuration file.
Monitoring IPv4 ACLs
You can monitor IPv4 ACLs by displaying the ACLs that are configured on the switch, and displaying the ACLs that have been
applied to interfaces.
When you use the
ip access-group
interface configuration command to apply ACLs to a Layer 2 or 3 interface, you
can display the access groups on the interface. You can also display the MAC
ACLs applied to a Layer 2 interface. You can use the privileged EXEC commands
as described in this table to display this information.
Table 2. Commands for Displaying
Access Lists and Access Groups
Command
Purpose
show access-lists [number |
name]
Displays the contents of one
or all current IP and MAC address access lists or a specific access list
(numbered or named).
show ip access-lists
[number |
name]
Displays the contents of all
current IP access lists or a specific IP access list (numbered or named).
show ip
interfaceinterface-id
Displays detailed
configuration and status of an interface. If IP is enabled on the interface and
ACLs have been applied by using the
ip access-group
interface configuration command, the access groups are included in the display.
show running-config
[interfaceinterface-id]
Displays the contents of the
configuration file for the switch or the specified interface, including all
configured MAC and IP access lists and which access groups are applied to an
interface.
show mac access-group
[interfaceinterface-id]
Displays MAC access lists
applied to all Layer 2 interfaces or the specified
Layer 2 interface.
Configuration Examples for ACLs
Example: Numbered ACLs
In this example, network 10.0.0.0 is a Class A network whose second octet specifies a subnet; that is, its subnet mask is
255.255.0.0. The third and fourth octets of a network 10.0.0.0 address specify a particular host. Using access list 2, the
switch accepts one address on subnet 48 and reject all others on that subnet. The last line of the list shows that the switch
accepts addresses on all other network 10.0.0.0 subnets. The ACL is applied to packets entering a port.
In this example, the first
line permits any incoming TCP connections with destination ports greater than
1023. The second line permits incoming TCP connections to the Simple Mail
Transfer Protocol (SMTP) port of host 128.88.1.2. The third line permits
incoming ICMP messages for error feedback.
Device(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 gt 1023Device(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25Device(config)# access-list 102 permit icmp any anyDevice(config)# interface gigabitethernet 0/1interface gigabitethernet2/0/1Device(config-if)# ip access-group 102 in
In this example, suppose that
you have a network connected to the Internet, and you want any host on the
network to be able to form TCP connections to any host on the Internet.
However, you do not want IP hosts to be able to form TCP connections to hosts
on your network, except to the mail (SMTP) port of a dedicated mail host.
SMTP uses TCP port 25 on one
end of the connection and a random port number on the other end. The same port
numbers are used throughout the life of the connection. Mail packets coming in
from the Internet have a destination port of 25.
Outbound packets have the
port numbers reversed.
Because the secure system of the network always accepts mail
connections on port 25, the incoming
and outgoing services
are separately controlled.
The ACL must be configured as
an input ACL on the outbound interface and an output ACL on the inbound
interface.
Device(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 23Device(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 eq 25Device(config)# interface gigabitethernet 0/1interface gigabitethernet1/0/1Device(config-if)# ip access-group 102 in
In this example, the network is a Class B network with the address 128.88.0.0, and the mail host address is 128.88.1.2. The
ACK or RST keywords are used to match ACK or RST bits set, which show that the packet belongs to an existing connection.
Device(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 RSTDevice(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25Device(config)# interface gigabitethernet 0/1Device(config-if)# ip access-group 102 in
In this example, the network is a Class B network with the address 128.88.0.0, and the mail host address is 128.88.1.2. The
established keyword is used only for the TCP to show an established connection. A match occurs if the TCP datagram has the ACK or RST
bits set, which show that the packet belongs to an existing connection. Gigabit Ethernet interface 1 on stack member 1 is
the interface that connects the router to the Internet.
Examples: Named ACLs
Creating named standard and extended ACLs
This example creates a
standard ACL named
internet_filter and an
extended ACL named
marketing_group. The
internet_filter ACL
allows all traffic from the source address 1.2.3.4.
Device(config)# ip access-list standard Internet_filterDevice(config-ext-nacl)# permit 1.2.3.4Device(config-ext-nacl)# exit
The
marketing_group ACL
allows any TCP Telnet traffic to the destination address and wildcard
171.69.0.0 0.0.255.255 and denies any other TCP traffic. It permits ICMP
traffic, denies UDP traffic from any source to the destination address range
171.69.0.0 through 179.69.255.255 with a destination port less than 1024,
denies any other IP traffic, and provides a log of the result.
Device(config)# ip access-list extended marketing_groupDevice(config-ext-nacl)# permit tcp any 171.69.0.0 0.0.255.255 eq telnetDevice(config-ext-nacl)# deny tcp any anyDevice(config-ext-nacl)# permit icmp any anyDevice(config-ext-nacl)# deny udp any 171.69.0.0 0.0.255.255 lt 1024Device(config-ext-nacl)# deny ip any any logDevice(config-ext-nacl)# exit
Deleting individual ACEs from named ACLs
This example shows how you can delete individual ACEs from the named
access list
border-list:
Device(config)# ip access-list extended border-listDevice(config-ext-nacl)# no permit ip host 10.1.1.3 any
Example Resequencing Entries in an Access List
The following example shows an access list before and after resequencing. The starting value is 1, and increment value is
2. The subsequent entries are ordered based on the increment values that users provide, and the range is from 1 to 2147483647.
When an entry with no sequence number is entered, by default it has a sequence number of 10 more than the last entry in the
access list.
Router# show access-list carls
Extended IP access list carls
10 permit ip host 10.3.3.3 host 172.16.5.34
20 permit icmp any any
30 permit tcp any host 10.3.3.3
40 permit ip host 10.4.4.4 any
50 Dynamic test permit ip any any
60 permit ip host 172.16.2.2 host 10.3.3.12
70 permit ip host 10.3.3.3 any log
80 permit tcp host 10.3.3.3 host 10.1.2.2
90 permit ip host 10.3.3.3 any
100 permit ip any any
Router(config)# ip access-list extended carls
Router(config)# ip access-list resequence carls 1 2
Router(config)# end
Router# show access-list carls
Extended IP access list carls
1 permit ip host 10.3.3.3 host 172.16.5.34
3 permit icmp any any
5 permit tcp any host 10.3.3.3
7 permit ip host 10.4.4.4 any
9 Dynamic test permit ip any any
11 permit ip host 172.16.2.2 host 10.3.3.12
13 permit ip host 10.3.3.3 any log
15 permit tcp host 10.3.3.3 host 10.1.2.2
17 permit ip host 10.3.3.3 any
19 permit ip any any
Example Adding an Entry with a Sequence Number
In the following example, an new entry (sequence number 15) is added to an access list:
Router# show ip access-list
Standard IP access list tryon
2 permit 10.4.4.2, wildcard bits 0.0.255.255
5 permit 10.0.0.44, wildcard bits 0.0.0.255
10 permit 10.0.0.1, wildcard bits 0.0.0.255
20 permit 10.0.0.2, wildcard bits 0.0.0.255
Router(config)# ip access-list standard tryon
Router(config-std-nacl)# 15 permit 10.5.5.5 0.0.0.255
Router# show ip access-list
Standard IP access list tryon
2 permit 10.4.0.0, wildcard bits 0.0.255.255
5 permit 10.0.0.0, wildcard bits 0.0.0.255
10 permit 10.0.0.0, wildcard bits 0.0.0.255
15 permit 10.5.5.0, wildcard bits 0.0.0.255
20 permit 10.0.0.0, wildcard bits 0.0.0.255
Example Adding an Entry with No Sequence Number
The following example shows how an entry with no specified sequence number is added to the end of an access list. When an
entry is added without a sequence number, it is automatically given a sequence number that puts it at the end of the access
list. Because the default increment is 10, the entry will have a sequence number 10 higher than the last entry in the existing
access list.
Router(config)# ip access-list standard resources
Router(config-std-nacl)# permit 10.1.1.1 0.0.0.255
Router(config-std-nacl)# permit 10.2.2.2 0.0.0.255
Router(config-std-nacl)# permit 10.3.3.3 0.0.0.255
Router# show access-list
Standard IP access list resources
10 permit 10.1.1.1, wildcard bits 0.0.0.255
20 permit 10.2.2.2, wildcard bits 0.0.0.255
30 permit 10.3.3.3, wildcard bits 0.0.0.255
Router(config)# ip access-list standard resources
Router(config-std-nacl)# permit 10.4.4.4 0.0.0.255
Router(config-std-nacl)# end
Router# show access-list
Standard IP access list resources
10 permit 10.1.1.1, wildcard bits 0.0.0.255
20 permit 10.2.2.2, wildcard bits 0.0.0.255
30 permit 10.3.3.3, wildcard bits 0.0.0.255
40 permit 10.4.4.4, wildcard bits 0.0.0.255
Examples: Configuring Commented IP ACL Entries
In this example of a numbered
ACL, the workstation that belongs to Jones is allowed access, and the
workstation that belongs to Smith is not allowed access:
Device(config)# access-list 1 remark Permit only Jones workstation throughDevice(config)# access-list 1 permit 171.69.2.88Device(config)# access-list 1 remark Do not allow Smith workstation throughDevice(config)# access-list 1 deny 171.69.3.13
In this example of a numbered
ACL, the Winter and Smith workstations are not allowed to browse the web:
Device(config)# access-list 100 remark Do not allow Winter to browse the webDevice(config)# access-list 100 deny host 171.69.3.85 any eq wwwDevice(config)# access-list 100 remark Do not allow Smith to browse the webDevice(config)# access-list 100 deny host 171.69.3.13 any eq www
In this example of a named
ACL, the Jones subnet is not allowed access:
Device(config)# ip access-list standard preventionDevice(config-std-nacl)# remark Do not allow Jones subnet throughDevice(config-std-nacl)# deny 171.69.0.0 0.0.255.255
In this example of a named
ACL, the Jones subnet is not allowed to use outbound Telnet:
Device(config)# ip access-list extended telnettingDevice(config-ext-nacl)# remark Do not allow Jones subnet to telnet outDevice(config-ext-nacl)# deny tcp 171.69.0.0 0.0.255.255 any eq telnet
Examples: Using Time Ranges with ACLs
This example shows how to verify after you configure time ranges for workhours and to configure January 1, 2006, as a company holiday.
Device# show time-range
time-range entry: new_year_day_2003 (inactive)
absolute start 00:00 01 January 2006 end 23:59 01 January 2006
time-range entry: workhours (inactive)
periodic weekdays 8:00 to 12:00
periodic weekdays 13:00 to 17:00
To apply a time range, enter the time-range name in an extended ACL that can implement time ranges. This example shows how
to create and verify extended access list 188 that denies TCP traffic from any source to any destination during the defined
holiday times and permits all TCP traffic during work hours.
Device(config)# access-list 188 deny tcp any any time-range new_year_day_2006Device(config)# access-list 188 permit tcp any any time-range workhoursDevice(config)# endDevice# show access-lists
Extended IP access list 188
10 deny tcp any any time-range new_year_day_2006 (inactive)
20 permit tcp any any time-range workhours (inactive)
This example uses named ACLs to permit and deny the same traffic.
Device(config)# ip access-list extended deny_accessDevice(config-ext-nacl)# deny tcp any any time-range new_year_day_2006Device(config-ext-nacl)# exitDevice(config)# ip access-list extended may_accessDevice(config-ext-nacl)# permit tcp any any time-range workhoursDevice(config-ext-nacl)# endDevice# show ip access-lists
Extended IP access list lpip_default
10 permit ip any any
Extended IP access list deny_access
10 deny tcp any any time-range new_year_day_2006 (inactive)
Extended IP access list may_access
10 permit tcp any any time-range workhours (inactive)
Examples: Time Range Applied to an IP ACL
This example denies HTTP traffic on IP on Monday through Friday between the hours of 8:00 a.m. and 6:00 p.m (18:00). The example
allows UDP traffic only on Saturday and Sunday from noon to 8:00 p.m. (20:00).
Device(config)# time-range no-httpDevice(config)# periodic weekdays 8:00 to 18:00
!
Device(config)# time-range udp-yesDevice(config)# periodic weekend 12:00 to 20:00
!
Device(config)# ip access-list extended strictDevice(config-ext-nacl)# deny tcp any any eq www time-range no-httpDevice(config-ext-nacl)# permit udp any any time-range udp-yes
!
Device(config-ext-nacl)# exitDevice(config)# interface gigabitethernet 0/1interface gigabitethernet2/0/1Device(config-if)# ip access-group strict in
Examples: ACL Logging
Two variations of logging are supported on ACLs. The log keyword sends an informational logging message to the console about the packet that matches the entry; the log-input keyword includes the input interface in the log entry.
In this example, standard named access list stan1 denies traffic from 10.1.1.0 0.0.0.255, allows traffic from all other sources, and includes the log keyword.
This example is a named extended access list ext1 that permits ICMP packets from any source to 10.1.1.0 0.0.0.255 and denies all UDP packets.
Device(config)# ip access-list extended ext1Device(config-ext-nacl)# permit icmp any 10.1.1.0 0.0.0.255 logDevice(config-ext-nacl)# deny udp any any logDevice(config-std-nacl)# exitDevice(config)# interface gigabitethernet 0/2interface gigabitethernet1/0/2Device(config-if)# ip access-group ext1 in
This is a an example of a log for an extended ACL:
Note that all logging entries for IP ACLs start with %SEC-6-IPACCESSLOG with minor variations in format depending on the kind
of ACL and the access entry that has been matched.
This is an example of an output message when the log-input keyword is entered:
If this ACL manager message appears and [chars] is the access-list name,
ACLMGR-2-NOVMR: Cannot generate hardware representation of access list [chars]
The switch has insufficient resources to create a hardware representation of the ACL. The resources include hardware memory
and label space but not CPU memory. A lack of available logical operation units or specialized hardware resources causes this
problem. Logical operation units are needed for a TCP flag match or a test other than eq (ne, gt, lt, or range) on TCP, UDP, or SCTP port numbers.
Use one of these workarounds:
Modify the ACL configuration to use fewer resources.
Rename the ACL with a name or number that alphanumerically precedes the ACL names or numbers.
To determine the specialized hardware resources, enter the show platform layer4 acl map privileged EXEC command. If the switch does not have available resources, the output shows that index 0 to index 15 are
not available.
For more information about configuring ACLs with insufficient resources, see CSCsq63926 in the Bug Toolkit.
For example, if you apply this ACL to an interface:
Rename the ACL with a name or number that alphanumerically precedes the other ACLs (for example, rename ACL 79 to ACL 1).
You can now apply the first ACE in the ACL to the interface. The switch allocates the ACE to available mapping bits in the
Opselect index and then allocates flag-related operators to use the same bits in the hardware memory.
Additional
References
Related
Documents
MIBs
MIB
MIBs
Link
All the supported MIBs for this release.
To locate
and download MIBs for selected platforms, Cisco IOS releases, and feature sets,
use Cisco MIB Locator found at the following URL:
The Cisco
Support website provides extensive online resources, including documentation
and tools for troubleshooting and resolving technical issues with Cisco
products and technologies.
To receive
security and technical information about your products, you can subscribe to
various services, such as the Product Alert Tool (accessed from Field Notices),
the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS)
Feeds.
Access to
most tools on the Cisco Support website requires a Cisco.com user ID and
password.
IPv4
Access Control Lists perform packet filtering to control which packets move
through the network and where. Such control provides security by helping to
limit network traffic, restrict the access of users and devices to the network,
and prevent traffic from leaving a network. This feature was introduced.
Cisco IOS
15.2(2)E
The Named
ACL Support for Noncontiguous Ports on an Access Control Entry feature allows
you to specify noncontiguous ports in a single access control entry, which
greatly reduces the number of entries required in an access control list when
several entries have the same source address, destination address, and
protocol, but differ only in the ports.
Cisco IOS 15.2(2)E
The IP Access List Entry Sequence Numbering feature helps
users to apply sequence numbers to permit or deny statements and also reorder,
add, or remove such statements from a named IP access list. This feature makes
revising IP access lists much easier. Prior to this feature, users could add
access list entries to the end of an access list only; therefore needing to add
statements anywhere except the end required reconfiguring the access list
entirely.
The following commands were introduced or modified:
deny (IP),
ip access-list resequence deny
(IP),
permit (IP).