Security – Access Control Lists (ACL)

ip access-list (IP extended)

Use the ip access-list extended  Global Configuration mode command to name an IPv4 access list (ACL) and to place the device in IPv4 Access List Configuration mode. All commands after this command refer to this ACL. The rules (ACEs) for this ACL are defined in the permit ( IP ) and deny ( IP ) commands. The service-acl input command is used to attach this ACL to an interface.

Use the no form of this command to remove the access list.

Syntax

ip access-list extended acl-name no ip access-list extended acl-name

Parameters

  • acl-name—Name of the IPv4 access list. (Range 1-32 characters)

Default Configuration

No IPv4 access list is defined.

Command Mode

Global Configuration mode

User Guidelines

An IPv4 ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy maps cannot have the same name.

Example

switchxxxxxx(config)# ip access-list extended server 
switchxxxxxx(config-ip-al)#

permit ( IP )

Use the permit IP Access-list Configuration mode command to set permit conditions for an IPv4 access list (ACL). Permit conditions are also known as access control entries (ACEs). Use the no form of the command to remove the access control entry.

Syntax

permit protocol {any | source source-wildcard} {any | destination

destination-wildcard} [ace-priority priority] [dscp number | precedence number] [time-range time-range-name]

[log-input]

permit icmp {any | source source-wildcard} {any | destination destination-wildcard} [any | icmp-type] [any | icmp-code]] [ace-priority priority] [dscp number | precedence number] [time-range time-range-name]

[log-input]

permit igmp {any | source source-wildcard} {any | destination

destination-wildcard}[igmp-type] [ace-priority priority] [dscp number |

precedence number] [time-range time-range-name]

[log-input]

permit tcp {any | source source-wildcard} {any|source-port/port-range}{any |

destination destination-wildcard} {any|destination-port/port-range} [ace-priority priority] [dscp number | precedence number] [match-all list-of-flags] [time-range time-range-name] [log-input]

permit udp {any | source source-wildcard} {any|source-port/port-range} {any |

destination destination-wildcard} {any|destination-port/port-range} [ace-priority priority] [dscp number | precedence number] [time-range time-range-name]

[log-input]

no permit protocol {any | source source-wildcard} {any | destination

destination-wildcard} [dscp number | precedence number][time-range time-range-name] [log-input]

no permit icmp {any | source source-wildcard} {any | destination

destination-wildcard} [any | icmp-type] [any | icmp-code]] [dscp number |

precedence number][time-range time-range-name]

[log-input]

no permit igmp {any | source source-wildcard} {any | destination

destination-wildcard}[igmp-type] [dscp number | precedence number] [time-range time-range-name] [log-input]

no permit tcp {any | source source-wildcard} {any|source-port/port-range}{any |

destination destination-wildcard} {any|destination-port/port-range} [dscp number |

precedence number] [match-all list-of-flags] [time-range time-range-name]

[log-input]

no permit udp {any | source source-wildcard} {any|source-port/port-range} {any |

destination destination-wildcard} {any|destination-port/port-range} [dscp number |

precedence number] [time-range time-range-name]

[log-input]

Parameters

  • protocol—The name or the number of an IP protocol. Available protocol names are: icmp, igmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6:rout, ipv6:frag, idrp, rsvp, gre, esp, ah, ipv6:icmp, eigrp, ospf, ipinip, pim, l2tp, isis. To match any protocol, use the ip keyword.(Range: 0–255)
  • source—Source IP address of the packet.
  • source-wildcard—Wildcard bits to be applied to the source IP address. Use ones in the bit position that you want to be ignored.
  • destination—Destination IP address of the packet.
  • destination-wildcard—Wildcard bits to be applied to the destination IP address. Use ones in the bit position that you want to be ignored.
  • priority – Specify the priority of the access control entry (ACE) in the access control list (ACL). “1” value represents the highest priority and “2147483647” number represents the lowest priority.(Range: 1-2147483647)
  • dscp number—Specifies the DSCP value.
  • precedence number—Specifies the IP precedence value.
  • icmp-type—Specifies an ICMP message type for filtering ICMP packets. Enter a number or one of the following values: echo-reply, destination-unreachable, source-quench, redirect, alternate-host-address, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem, timestamp, timestamp-reply, information-request, information-reply, address-mask-request, address-mask-reply, traceroute, datagram-conversion-error, mobile-host-redirect, mobile-registration-request, mobile-registration-reply, domain-name-request, domain-name-reply, skip, photuris. (Range: 0–255)
  • icmp-code—Specifies an ICMP message code for filtering ICMP packets. (Range: 0–255)
  • igmp-type—IGMP packets can be filtered by IGMP message type. Enter a number or one of the following values: host-query, host-report, dvmrp, pim, cisco-trace, host-report-v2, host-leave-v2, host-report-v3. (Range: 0–255)
  • destination-port—Specifies the UDP/TCP destination port. You can enter range of ports by using hyphen. E.g. 20 – 21. For TCP enter a number or one of the following values: bgp (179), chargen (19), daytime (13), discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds (49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For UDP enter a number or one of the following values: biff (512), bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (137), on500-isakmp (4500), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).(Range: 0–65535).
  • source-port—Specifies the UDP/TCP source port. Predefined port names are defined in the destination-port parameter. (Range: 0–65535)
  • match-all list-of-flags—List of TCP flags that should occur. If a flag should be set, it is prefixed by “+”. If a flag should be unset, it is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and -fin. The flags are concatenated to a one string. For example: +fin-ack.
  • time-range-name—Name of the time range that applies to this permit statement. (Range: 1–32)
  • log-input—Specifies sending an informational SYSLOG message about the packet that matches the entry. Because forwarding/dropping is done in hardware and logging is done in software, if a large number of packets match an ACE containing a log-input keyword, the software might not be able to match the hardware processing rate, and not all packets will be logged.

Default Configuration

No IPv4 access list is defined.

Command Mode

IP Access-list Configuration mode

User Guidelines

 If a range of ports is used for source port in an ACE, it is not counted again, if it is also used for a source port in another ACE. If a range of ports is used for the destination port in an ACE, it is not counted again if it is also used for destination port in another ACE.

If a range of ports is used for source port it is counted again if it is also used for destination port.

If ace-priority is omitted, the system sets the rule’s priority to the current highest priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already existed priority, then the command is rejected.

Example

switchxxxxxx(config)# ip access-list extended server
switchxxxxxx(config-ip-al)# permit ip 176.212.0.0 00.255.255 any

deny ( IP )

Use the deny IP Access-list Configuration mode command to set deny conditions for IPv4 access list. Deny conditions are also known as access control entries (ACEs). Use the no form of the command to remove the access control entry.

Syntax

deny protocol {any | source source-wildcard} {any | destination

destination-wildcard} [ace-priority priority] [dscp number | precedence number]

[time-range time-range-name] [disable-port |log-input ]

deny icmp {any | source source-wildcard} {any | destination destination-wildcard} [any | icmp-type] [any | icmp-code]][ace-priority priority] [dscp number | precedence number] [time-range time-range-name] [disable-port |log-input ] deny igmp {any | source source-wildcard} {any | destination

destination-wildcard}[igmp-type][ace-priority priority] [dscp number | precedence number] [time-range time-range-name] [disable-port |log-input ]

deny tcp {any | source source-wildcard} {any|source-port/port-range}{any |

destination destination-wildcard} {any|destination-port/port-range} [ace-priority priority] [dscp number | precedence number] [match-all list-of-flags][time-range time-range-name] [disable-port |log-input ]

deny udp {any | source source-wildcard} {any|source-port/port-range} {any |

destination destination-wildcard} {any|destination-port/port-range} [ace-priority priority] [dscp number | precedence number] [time-range time-range-name]

[disable-port |log-input ]

no deny protocol {any | source source-wildcard} {any | destination

destination-wildcard} [dscp number | precedence number] [time-range time-range-name] [disable-port |log-input ]

no deny icmp {any | source source-wildcard} {any | destination

destination-wildcard} [any | icmp-type] [any | icmp-code]] [dscp number |

precedence number][time-range time-range-name] [disable-port |log-input ]

no deny igmp {any | source source-wildcard} {any | destination

destination-wildcard}[igmp-type] [dscp number | precedence number] [time-range time-range-name] [disable-port |log-input ]

no deny tcp {any | source source-wildcard} {any|source-port/port-range}{any |

destination destination-wildcard} {any|destination-port/port-range} [dscp number |

precedence number] [match-all list-of-flags] [time-range time-range-name]

[disable-port |log-input ]

no deny udp {any | source source-wildcard} {any|source-port/port-range} {any |

destination destination-wildcard} {any|destination-port/port-range} [dscp number | precedence number] [time-range time-range-name] [disable-port |log-input ]

Parameters

  • protocol—The name or the number of an IP protocol. Available protocol names: icmp, igmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6:rout, ipv6:frag, idrp, rsvp, gre, esp, ah, ipv6:icmp, eigrp, ospf, ipinip, pim, l2tp, isis. To match any protocol, use the Ip keyword. (Range: 0–255)
  • source—Source IP address of the packet.
  • source-wildcard—Wildcard bits to be applied to the source IP address. Use 1s in the bit position that you want to be ignored.
  • destination—Destination IP address of the packet.
  • destination-wildcard—Wildcard bits to be applied to the destination IP address. Use 1s in the bit position that you want to be ignored.
  • priority – Specify the priority of the access control entry (ACE) in the access control list (ACL). “1” value represents the highest priority and “2147483647” number represents the lowest priority.(Range: 1-2147483647)
  • dscp number—Specifies the DSCP value.
  • precedence number—Specifies the IP precedence value.
  • icmp-type—Specifies an ICMP message type for filtering ICMP packets. Enter a number or one of the following values: echo-reply, destination-unreachable, source-quench, redirect, alternate-host-address, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem, timestamp, timestamp-reply, information-request, information-reply, address-mask-request, address-mask-reply, traceroute, datagram-conversion-error, mobile-host-redirect, mobile-registration-request, mobile-registration-reply, domain-name-request, domain-name-reply, skip, photuris. (Range: 0–255)
  • icmp-code—Specifies an ICMP message code for filtering ICMP packets. (Range: 0–255)
  • igmp-type—IGMP packets can be filtered by IGMP message type. Enter a number or one of the following values: host-query, host-report, dvmrp, pim, cisco-trace, host-report-v2, host-leave-v2, host-report-v3. (Range: 0–255)
  • destination-port—Specifies the UDP/TCP destination port. You can enter range of ports by using hyphen. E.g. 20 – 21. For TCP enter a number or one of the following values: bgp (179), chargen (19), daytime (13), discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds (49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For UDP enter a number or one of the following values: biff (512), bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (137), non500-isakmp (4500), ntp (123), rip (520), snmp 161), snmptrap (162), sunrpc (111), syslog (514), tacacs-ds (49), talk (517), tftp (69), time (37), who (513), xdmcp (177). (Range: 0–65535)
  • source-port—Specifies the UDP/TCP source port. Predefined port names are defined in the destination-port parameter. (Range: 0–65535)
  • match-all list-of-flags—List of TCP flags that should occur. If a flag should be set it is prefixed by “+”.If a flag should be unset it is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and -fin. The flags are concatenated to a one string. For example: +fin-ack.
  • time-range-name—Name of the time range that applies to this permit statement. (Range: 1–32)
  • disable-port—The Ethernet interface is disabled if the condition is matched.
  • log-input—Specifies sending an informational syslog message about the packet that matches the entry. Because forwarding/dropping is done in hardware and logging is done in software, if a large number of packets match an ACE containing a log-input keyword, the software might not be able to match the hardware processing rate, and not all packets will be logged.

Default Configuration

No IPv4 access list is defined.

Command Mode

IP Access-list Configuration mode

User Guidelines

The number of TCP/UDP ranges that can be defined in ACLs is limited. If a range of ports is used for a source port in ACE it is not counted again if it is also used for source port in another ACE. If a range of ports is used for destination port in ACE it is not counted again if it is also used for destination port in another ACE.

If a range of ports is used for source port, it is counted again if it is also used for destination port.

If ace-priority is omitted, the system sets the rule’s priority to the current highest priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already existed priority, then the command is rejected.

Example

switchxxxxxx(config)# ip access-list extended server
switchxxxxxx(config-ip-al)# deny ip 176.212.0.0 00.255.255 any

ipv6 access-list (IPv6 extended)

Use the ipv6 access-list Global Configuration mode command to define an IPv6 access list (ACL) and to place the device in Ipv6 Access-list Configuration mode. All commands after this command refer to this ACL. The rules (ACEs) for this ACL are defined in the permit ( IPv6 ) and deny ( IPv6 ) commands. The service-acl input command is used to attach this ACL to an interface.

Use the no form of this command to remove the access list.

Syntax

ipv6 access-list [acl-name] no ipv6 access-list [acl-name]

Parameters

acl-name—Name of the IPv6 access list. Range 1-32 characters.

Default Configuration

No IPv6 access list is defined.

Command Mode

Global Configuration mode

User Guidelines

IPv6 ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy maps cannot have the same name.

Every IPv6 ACL has an implicit permit icmp any any nd-ns any, permit icmp any any nd-na any, and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.)

The IPv6 neighbor discovery process uses the IPv6 network layer service, therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, uses a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.

Example

switchxxxxxx(config)#  ipv6 access-list acl1 
switchxxxxxx(config-ip-al)#  permit tcp 2001:0DB8:0300:0201::/64 any any 80

permit ( IPv6 )

Use the permit command in Ipv6 Access-list Configuration mode to set permit conditions (ACEs) for IPv6 ACLs. Use the no form of the command to remove the access control entry.

Syntax

permit protocol {any |{source-prefix/length}{any | destination-prefix/length} [ace-priority priority][dscp number | precedence number] [time-range time-range-name] [log-input]

permit icmp {any | {source-prefix/length}{any | destination-prefix/length} {any|icmp-type} {any|icmp-code} [ace-priority priority][dscp number | precedence number] [time-range time-range-name] [log-input]

permit tcp {any | {source-prefix/length} {any | source-port | source-port-range}}{any |

destination-prefix/length} {any | destination-port | destination-port-range}

[ace-priority priority][dscp number | precedence number] [match-all list-of-flags]

[time-range time-range-name] [log-input]

permit udp {any | {source-prefix/length}} {any | source-port |

source-port-range}}{any | destination-prefix/length} {any | destination-port | destination-port-range} [ace-priority priority][dscp number | precedence number][time-range time-range-name] [log-input]

no permit protocol {any |{source-prefix/length}{any | destination-prefix/length} [dscp number | precedence number] [time-range time-range-name] [log-input]

no permit icmp {any | {source-prefix/length}{any | destination-prefix/length} {any|icmp-type} {any|icmp-code} [dscp number | precedence number] [time-range time-range-name] [log-input]

no permit tcp {any | {source-prefix/length} {any | source-port |

source-port-range}}{any | destination- prefix/length} {any| destination-port | destination-port-range} [dscp number | precedence number] [match-all list-of-flags] [time-range time-range-name] [log-input]

no permit udp {any | {source-prefix/length}} {any | source-port |

source-port-range}}{any | destination-prefix/length} {any| destination-port | destination-port-range} [dscp number | precedence number] [time-range time-range-name] [log-input]

Parameters

  • protocol—The name or the number of an IP protocol. Available protocol names are: icmp (58), tcp (6) and udp (17). To match any protocol, use the ipv6 keyword. (Range: 0–255)
  • source-prefix/length—The source IPv6 network or class of networks about which to set permit conditions. This argument must be in the form documented in RFC 3513 where the address is specified in hexadecimal using 16-bit values between colons.
  • destination-prefix/length—The destination IPv6 network or class of networks about which to set permit conditions. This argument must be in the form documented in RFC 3513 where the address is specified in hexadecimal using 16-bit values between colons.
  • priority – Specify the priority of the access control entry (ACE) in the access control list (ACL). “1” value represents the highest priority and “2147483647” number represents the lowest priority.(Range: 1-2147483647)
  • dscp number—Specifies the DSCP value. (Range: 0–63)
  • precedence number—Specifies the IP precedence value.
  • icmp-type—Specifies an ICMP message type for filtering ICMP packets. Enter a number or one of the following values: destination-unreachable (1), packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129), mld-query (130), mld-report (131), mldv2-report (143), mld-done (132), router-solicitation (133), router-advertisement (134), nd-ns (135), nd-na (136). (Range: 0–255)
  • icmp-code—Specifies an ICMP message code for filtering ICMP packets. (Range: 0–255)
  • destination-port—Specifies the UDP/TCP destination port. For TCP enter a number or one of the following values: bgp (179), chargen (19), daytime (13), discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd

(515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds (49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For UDP enter a number or one of the following values: biff (512), bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (137), non500-isakmp (4500), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs (49), talk (517), tftp (69), time (37), who

(513), xdmcp (177). (Range: 0–65535)

  • destination-port-range—Specifies the UDP/TCP destination port range. You can enter a range of ports by using a hyphen. E.g. 20 – 21.
  • source-port—Specifies the UDP/TCP source port. Predefined port names are defined in the destination-port parameter. (Range: 0–65535)
  • source-port-range—Specifies the UDP/TCP source port range. You can enter a range of ports by using a hyphen. E.g. 20 – 21.
  • match-all list-of-flag—List of TCP flags that should occur. If a flag should be set it is prefixed by “+”.If a flag should be unset it is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and -fin. The flags are concatenated to a one string. For example: +fin-ack.
  • time-range-name—Name of the time range that applies to this permit statement. (Range: 1–32)
  • log-input—Specifies sending an informational SYSLOG message about the packet that matches the entry. Because forwarding/dropping is done in hardware and logging is done in software, if a large number of packets match an ACE containing a log-input keyword, the software might not be able to match the hardware processing rate, and not all packets will be logged.

Default Configuration

No IPv6 access list is defined.

Command Mode

Ipv6 Access-list Configuration mode

User Guidelines

If a range of ports is used for the destination port in an ACE, it is not counted again if it is also used for destination port in another ACE.

The number of TCP/UDP ranges that can be defined in ACLs is limited. If a range of ports is used for a source port in ACE, it is not counted again if it is also used for a source port in another ACE. If a range of ports is used for destination port in ACE it is not counted again if it is also used for destination port in another ACE.

If a range of ports is used for source port it is counted again if it is also used for destination port.

If ace-priority is omitted, the system sets the rule’s priority to the current highest priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already existed priority, then the command is rejected.

Example

This example defines an ACL by the name of server and enters a rule (ACE) for tcp packets.

switchxxxxxx(config)# ipv6 access-list server
switchxxxxxx(config-ipv6-al)# permit tcp 3001::2/64 any any 80

deny ( IPv6 )

Use the deny command in Ipv6 Access-list Configuration mode to set permit conditions (ACEs) for IPv6 ACLs. Use the no form of the command to remove the access control entry.

Syntax

deny protocol {any | {source-prefix/length}{any | destination-prefix/length} [ace-priority priority][dscp number | precedence number] [time-range time-range-name] [disable-port |log-input]

deny icmp {any | {source-prefix/length}{any | destination-prefix/length}

{any|icmp-type} {any|icmp-code} [ace-priority priority][dscp number | precedence number] [time-range time-range-name] [disable-port |log-input]

deny tcp {any | {source-prefix/length} {any | source-port | source-port-range}}{any |

destination-prefix/length} {any| destination-port | destination-port-range}

[ace-priority priority][dscp number | precedence number] [match-all list-of-flags]

[time-range time-range-name] [disable-port |log-input]

deny udp {any | {source-prefix/length}} {any | source-port | source-port-range}}{any |

destination-prefix/length} {any| destination-port | destination-port-range} [ace-priority priority][dscp number | precedence number] [time-range time-range-name] [disable-port |log-input]

no deny protocol {any | {source-prefix/length}{any | destination-prefix/length} [dscp

number | precedence number] [time-range time-range-name] [disable-port

|log-input]

no deny icmp {any | {source-prefix/length}{any | destination-prefix/length} {any|icmp-type} {any|icmp-code} [dscp number | precedence number] [time-range time-range-name] [disable-port |log-input]

no deny tcp {any | {source-prefix/length} {any | source-port | source-port-range}}{any | destination-prefix/length} {any| destination-port |

destination-port-range} [dscp number | precedence number] [match-all list-of-flags] [time-range time-range-name] [disable-port |log-input]

no deny udp {any | {source-prefix/length}} {any | source-port |

source-port-range}}{any | destination-prefix/length} {any| destination-port | destination-port-range} [dscp number | precedence number] [time-range time-range-name] [disable-port |log-input]

Parameters

  • protocol—The name or the number of an IP protocol. Available protocol names are: icmp (58), tcp (6) and udp (17). To match any protocol, use the ipv6 keyword. (Range: 0–255)
  • source-prefix/length—The source IPv6 network or class of networks about which to set permit conditions. This argument must be in the format documented in RFC 3513 where the address is specified in hexadecimal using 16-bit values between colons.
  • destination-prefix/length—The destination IPv6 network or class of networks about which to set permit conditions. This argument must be in the format documented in RFC 3513 where the address is specified in hexadecimal using 16-bit values between colons.
  • priority – Specify the priority of the access control entry (ACE) in the access control list (ACL). “1” value represents the highest priority and “2147483647” number represents the lowest priority.(Range: 1-2147483647)
  • dscp number—Specifies the DSCP value. (Range: 0–63)
  • precedence number—Specifies the IP precedence value.
  • icmp-type—Specifies an ICMP message type for filtering ICMP packets. Enter a number or one of the following values: destination-unreachable (1), packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request (128), echo-reply (129), mld-query (130), mld-report (131), mldv2-report (143), mld-done (132), router-solicitation (133), router-advertisement (134), nd-ns (135), nd-na (136). (Range: 0–255)
  • icmp-code—Specifies an ICMP message code for filtering ICMP packets. (Range: 0–255)
  • destination-port—Specifies the UDP/TCP destination port. For TCP enter a number or one of the following values: bgp (179), chargen (19), daytime (13), discard (9), domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data 20), gopher (70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119), pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds (49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For UDP enter a number or one of the following values: biff (512), bootpc (68), bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434), nameserver (42), netbios-dgm (138), netbios-ns (137), non500-isakmp (4500), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514), tacacs (49), talk (517), tftp (69), time (37), who

(513), xdmcp (177). (Range: 0–65535)

  • destination-port-range—Specifies the UDP/TCP destination port range. You can enter a range of ports by using a hyphen. E.g. 20 – 21.
  • source-port—Specifies the UDP/TCP source port. Predefined port names are defined in the destination-port parameter. (Range: 0–65535)
  • source-port-range—Specifies the UDP/TCP source port range. You can enter a range of ports by using a hyphen. E.g. 20 – 21.
  • match-all list-of-flags—List of TCP flags that should occur. If a flag should be set it is prefixed by “+”.If a flag should be unset it is prefixed by “-”. Available options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and -fin. The flags are concatenated to a one string. For example: +fin-ack.
  • time-range-name—Name of the time range that applies to this permit statement. (Range: 1–32)
  • disable-port—The Ethernet interface is disabled if the condition is matched.
  • log-input—Specifies sending an informational syslog message about the packet that matches the entry. Because forwarding/dropping is done in hardware and logging is done in software, if a large number of packets match an ACE containing a log-input keyword, the software might not be able to match the hardware processing rate, and not all packets will be logged.

Default Configuration

No IPv6 access list is defined.

Command Mode

Ipv6 Access-list Configuration mode

User Guidelines

The number of TCP/UDP ranges that can be defined in ACLs is limited. If a range of ports is used for source port in ACE it is not counted again if it is also used for source port in another ACE. If a range of ports is used for a destination port in ACE it is not counted again if it is also used for a destination port in another ACE.

If a range of ports is used for source port it is counted again if it is also used for destination port.

If ace-priority is omitted, the system sets the rule’s priority to the current highest priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already existed priority, then the command is rejected.

Example

switchxxxxxx(config)# ipv6 access-list server
switchxxxxxx(config-ipv6-al)# deny tcp 3001::2/64 any any 80

mac access-list

Use the mac access-list Global Configuration mode command to define a Layer 2 access list (ACL) based on source MAC address filtering and to place the device in MAC Access-list Configuration mode. All commands after this command refer to this ACL. The rules (ACEs) for this ACL are defined in the permit ( MAC ) and deny (MAC) commands. The service-acl input command is used to attach this ACL to an interface.

Use the no form of this command to remove the access list.

Syntax mac access-list extended acl-name no mac access-list extended acl-name

Parameters

acl-name—Specifies the name of the MAC ACL (Range: 1–32 characters).

Default Configuration

No MAC access list is defined.

Command Mode

Global Configuration mode

User Guidelines

A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy maps cannot have the same name

If ace-priority is omitted, the system sets the rule’s priority to the current highest priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already existed priority, then the command is rejected.

Example

switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-al)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any

permit ( MAC )

Use the permit command in MAC Access-list Configuration mode to set permit conditions (ACEs) for a MAC ACL. Use the no form of the command to remove the access control entry.

Syntax

permit   {any | source source-wildcard} {any | destination destination-wildcard} [ace-priority priority][eth-type 0 | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000] [vlan vlan-id] [cos cos cos-wildcard] [time-range time-range-name] [log-input]

no permit   {any | source source-wildcard} {any | destination destination-wildcard}

[eth-type 0 | aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000]

[vlan vlan-id]

[cos cos cos-wildcard] [time-range time-range-name]

[log-input]

Parameters

  • source—Source MAC address of the packet.
  • source-wildcard—Wildcard bits to be applied to the source MAC address. Use 1s in the bit position that you want to be ignored.
  • destination—Destination MAC address of the packet.
  • destination-wildcard—Wildcard bits to be applied to the destination MAC address. Use 1s in the bit position that you want to be ignored.
  • priority – Specify the priority of the access control entry (ACE) in the access control list (ACL). “1” value represents the highest priority and “2147483647” number represents the lowest priority.(Range: 1-2147483647)
  • eth-type—The Ethernet type in hexadecimal format of the packet.
  • vlan-id—The VLAN ID of the packet. (Range: 1–4094)
  • cos—The Class of Service of the packet. (Range: 0–7)
  • cos-wildcard—Wildcard bits to be applied to the CoS.
  • time-range-name—Name of the time range that applies to this permit statement. (Range: 1–32)
  • log-input—Specifies sending an informational SYSLOG message about the packet that matches the entry. Because forwarding/dropping is done in hardware and logging is done in software, if a large number of packets match an ACE containing a log-input keyword, the software might not be able to match the hardware processing rate, and not all packets will be logged.

User Guidelines

A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy maps cannot have the same name

If ace-priority is omitted, the system sets the rule’s priority to the current highest priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already existed priority, then the command is rejected.

Default Configuration

No MAC access list is defined.

Command Mode

MAC Access-list Configuration mode

Example

switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-al)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any

deny (MAC)

Use the deny command in MAC Access-list Configuration mode to set deny conditions (ACEs) for a MAC ACL. Use the no form of the command to remove the access control entry.

Syntax

deny {any | source source-wildcard} {any | destination destination-wildcard} [ace-priority priority][{eth-type 0}| aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000] [vlan vlan-id] [cos cos cos-wildcard] [time-range time-range-name] [disable-port |log-input ]

no deny {any | source source-wildcard} {any | destination destination-wildcard} [{eth-type 0}| aarp | amber | dec-spanning | decnet-iv | diagnostic | dsm | etype-6000] [vlan vlan-id] [cos cos cos-wildcard] [time-range time-range-name] [disable-port |log-input ]

Parameters

  • source—Source MAC address of the packet.
  • source-wildcard—Wildcard bits to be applied to the source MAC address. Use ones in the bit position that you want to be ignored.
  • destination—Destination MAC address of the packet.
  • destination-wildcard—Wildcard bits to be applied to the destination MAC address. Use 1s in the bit position that you want to be ignored.
  • priority – Specify the priority of the access control entry (ACE) in the access control list (ACL). “1” value represents the highest priority and “2147483647” number represents the lowest priority.(Range: 1-2147483647) eth-type—The Ethernet type in hexadecimal format of the packet.
  • vlan-id—The VLAN ID of the packet. (Range: 1–4094).
  • cos—The Class of Service of the packet.(Range: 0–7).
  • cos-wildcard—Wildcard bits to be applied to the CoS.
  • time-range-name—Name of the time range that applies to this permit statement. (Range: 1–32)
  • disable-port—The Ethernet interface is disabled if the condition is matched.
  • log-input—Specifies sending an informational syslog message about the packet that matches the entry. Because forwarding/dropping is done in hardware and logging is done in software, if a large number of packets match an ACE containing a log-input keyword, the software might not be able to match the hardware processing rate, and not all packets will be logged.

Default Configuration

No MAC access list is defined.

Command Mode

MAC Access-list Configuration mode

User Guidelines

A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy maps cannot have the same name

If ace-priority is omitted, the system sets the rule’s priority to the current highest priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If the user types already existed priority, then the command is rejected.

Example

switchxxxxxx(config)# mac access-list extended server1
switchxxxxxx(config-mac-al)# deny 00:00:00:00:00:01 00:00:00:00:00:ff any

service-acl input

Use the service-acl input command in Interface Configuration mode to bind an access list(s) (ACL) to an interface.

Use the no form of this command to remove all ACLs from the interface.

Syntax

sevice-acl input acl-name1 [acl-name2] [default-action {deny-any | permit-any}] no service-acl input

Parameters

  • acl-name—Specifies an ACL to apply to the interface. See the user guidelines. (Range: 1–32 characters).
  • deny-any—Deny all packets (that were ingress at the port) that do not meet the rules in this ACL.
  • permit-any—Forward all packets (that were ingress at the port) that do not meet the rules in this ACL.

Default Configuration No ACL is assigned.

Command Mode

Interface Configuration mode (Ethernet, Port-Channel,,VLAN )

User Guidelines

The following rules govern when ACLs can be bound or unbound from an interface:

  • IPv4 ACLs and IPv6 ACLs can be bound together to an interface.
  • A MAC ACL cannot be bound on an interface which already has an IPv4 ACL or IPv6 ACL bound to it.
  • Two ACLs of the same type cannot be bound to a port.
  • An ACL cannot be bound to a port that is already bound to an ACL, without first removing the current ACL. Both ACLs must be mentioned at the same time in this command.
  • MAC ACLs that include a VLAN as match criteria cannot be bound to a VLAN. ACLs with time-based configuration on one of its ACEs cannot be bound to a VLAN.
  • ACLs with the action Shutdown cannot be bound to a VLAN.
  • When the user binds ACL to an interface, TCAM resources will be consumed. One TCAM rule for each MAC or IP ACE and two TCAM rules for each IPv6 ACE.The TCAM consumption is always even number, so in case of odd number of rules the consumption will be increased by 1.
  • An ACL cannot be bound as input if it has been bound as output.

Example

switchxxxxxx(config)# mac access-list extended server-aclswitchxxxxxx(config-mac-al)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any
switchxxxxxx(config-mac-al)# exit
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# service-acl input server-acl default-action deny-any

Verge Documentation – English//ACL Commands

Angora Networks Product Support Portal

service-acl output

Use the service-acl output command in Interface Configuration mode to control access to an interface on the egress (transmit path).

Use the no form of this command to remove the access control.

Syntax

service-acl output acl-name1 [acl-name2] no service-acl output

Parameters

acl-name-Specifies an ACL to apply to the interface. See the usage guidelines. (Range: acl-name is from 0-32 characters. Use “” for empty string)

Default

No ACL is assigned.

Command Mode

Interface Configuration mode(Ethernet, Port-Channel).

User Guidelines

 The rule actions: log-input is not supported. Trying to use it will result in an error.

The deny rule action disable-port is not supported. Trying to use it will result in an error.

IPv4 and IPv6 ACLs can be bound together on an interface.

A MAC ACL cannot be bound on an interface together with an IPv4 ACL or IPv6 ACL.

Two ACLs of the same type cannot be added to a port.

An ACL cannot be added to a port that is already bounded to an ACL, without first removing the current ACL and binding the two ACLs together.

An ACL cannot be bound as output if it has been bound as input.

Example

This example binds an egress ACL to a port:

switchxxxxxx(config)# mac access-list extended server
switchxxxxxx(config-mac-al)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any
switchxxxxxx(config-mac-al)# exit
switchxxxxxx(config)# interface te1/0/1
switchxxxxxx(config-if)# service-acl output server

time-range

Use the time-range Global Configuration mode command to define time ranges for different functions. In addition, this command enters the Time-range Configuration mode. All commands after this one refer to the time-range being defined.

This command sets a time-range name. Use the absolute and periodic commands to actually configure the time-range.

Use the no form of this command to remove the time range from the device.

Syntax time-range time-range-name no time-range time-range-name

Parameters

time-range-name—Specifies the name for the time range. (Range: 1–32 characters)

Default Configuration

No time range is defined

Command Mode

Global Configuration mode

User Guidelines

After adding the name of a time range with this command, use the absolute and periodic commands to actually configure the time-range. Multiple periodic commands are allowed in a time range. Only one absolute command is allowed.

If a time-range command has both absolute and periodic values specified, then the periodic items are evaluated only after the absolute start time is reached, and are not evaluated again after the absolute end time is reached.

All time specifications are interpreted as local time.

To ensure that the time range entries take effect at the desired times, the software clock should be set by the user or by SNTP. If the software clock is not set by the user or by SNTP, the time range ACEs are not activated.

The user cannot delete a time-range that is bound to any features.

When a time range is defined, it can be used in the following commands:

  • dot1x port-control
  • power inline
  • operation time
  • permit (IP)
  • deny (IP)
  • permit (IPv6)
  • deny (IPv6)
  • permit (MAC)
  • deny (MAC)

Example

switchxxxxxx(config)# time-range http-allowed
switchxxxxxx(config-time-range)#periodic mon 12:00 to wed 12:00

absolute

Use the absolute Time-range Configuration mode command to specify an absolute time when a time range is in effect. Use the no form of this command to remove the time limitation.

Syntax

absolute start hh:mm day month year no absolute start absolute end hh:mm day month year no absolute end

Parameters

  • start—Absolute time and date that the permit or deny statement of the associated function going into effect. If no start time and date are specified, the function is in effect immediately.
  • end—Absolute time and date that the permit or deny statement of the associated function is no longer in effect. If no end time and date are specified, the function is in effect indefinitely.
  • hh:mm—Time in hours (military format) and minutes (Range: 0–23, mm: 0–5)
  • day—Day (by date) in the month. (Range: 1–31)
  • month—Month (first three letters by name). (Range: Jan…Dec)
  • year—Year (no abbreviation) (Range: 2000–2097)

Default Configuration

There is no absolute time when the time range is in effect.

Command Mode

Time-range Configuration mode

Example

switchxxxxxx(config)# time-range http-allowed
switchxxxxxx(config-time-range)# absolute start 12:00 1 jan 2005
switchxxxxxx(config-time-range)# absolute end 12:00 31 dec 2005

periodic

Use the periodic Time-range Configuration mode command to specify a recurring (weekly) time range for functions that support the time-range feature. Use the no form of this command to remove the time limitation.

Syntax periodic day-of-the-week hh:mm to day-of-the-week hh:mm no periodic day-of-the-week hh:mm to day-of-the-week hh:mm

periodic list hh:mm to hh:mm day-of-the-week1 [day-of-the-week2…

day-of-the-week7]

no periodic list hh:mm to hh:mm day-of-the-week1 [day-of-the-week2…

day-of-the-week7] periodic list hh:mm to hh:mm all no periodic list hh:mm to hh:mm all

Parameters

  • day-of-the-week—The starting day that the associated time range is in effect. The second occurrence is the ending day the associated statement is in effect. The second occurrence can be the following week (see description in the User Guidelines). Possible values are: mon, tue, wed, thu, fri, sat, and sun.
  • hh:mm—The first occurrence of this argument is the starting hours:minutes (military format) that the associated time range is in effect. The second occurrence is the ending hours:minutes (military format) the associated statement is in effect. The second occurrence can be at the following day

(see description in the User Guidelines). (Range: 0–23, mm: 0–59)

  • list day-of-the-week1—Specifies a list of days that the time range is in effect.

Default Configuration

There is no periodic time when the time range is in effect.

Command Mode

Time-range Configuration mode

User Guidelines

The second occurrence of the day can be at the following week, e.g. Thursday– Monday means that the time range is effective on Thursday, Friday, Saturday, Sunday, and Monday.

The second occurrence of the time can be on the following day, e.g. “22:00–2:00”.

Example

switchxxxxxx(config)# time-range http-allowed
switchxxxxxx(config-time-range)# periodic mon 12:00 to wed 12:00

show time-range

Use the show time-range User EXEC mode command to display the time range configuration.

Syntax

show time-range time-range-name

Parameters

time-range-name—Specifies the name of an existing time range.

Command Mode

User EXEC mode

Example

switchxxxxxx> show time-range http-allowed
-------------
absolute start 12:00 1 Jan 2005 end  12:00 31 Dec 2005 periodic Monday 12:00 to Wednesday 12:00

show access-lists

Use the show access-lists Privileged EXEC mode command to display access control lists (ACLs) configured on the switch.

Syntax

show access-lists [name] show access-liststime-range-active [name]

Parameters

  • name—Specifies the name of the ACL.(Range: 1-160 characters).
  • time-range-active—Shows only the Access Control Entries (ACEs) whose time-range is currently active (including those that are not associated with time-range).

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# show access-lists Standard IP access list 1 Extended IP access list ACL2 permit 234 172.30.19.1 0.0.0.255 any priority 20 time-range weekdays permit 234 172.30.23.8 0.0.0.255 any priority 40 time-range weekdays
switchxxxxxx# show access-lists time-range-active Extended IP access list ACL1 permit 234 172.30.40.1 0.0.0.0 any priority 20 permit 234 172.30.8.8  0.0.0.0 any priority 40 Extended IP access list ACL2 permit 234 172.30.19.1 0.0.0.255 any priority 20time-range weekdays
switchxxxxxx# show access-lists ACL1 Extended IP access list ACL1 permit 234 172.30.40.1 0.0.0.0 any priority 20 permit 234 172.30.8.8  0.0.0.0 any priority 40

show interfaces access-lists

Use the show interfaces access-lists Privileged EXEC mode command to display access lists (ACLs) applied on interfaces.

Syntax

show interfaces access-lists [interface-id]

Parameters

interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port, port-channel or VLAN.

Command Mode

Privileged EXEC mode

Example

Interface              ACLs     ———      ———————-te1/0/2            Ingress: server1

Egress : ip

Verge Documentation – English//ACL Commands

Angora Networks Product Support Portal

clear access-lists counters

Use the clear access-lists counters Privileged EXEC mode command to clear access-lists (ACLs) counters.

Syntax

clear access-lists counters [interface-id]

Parameters

interface-id—Specifies an interface ID. The interface ID can be one of the following types: Ethernet port or port-channel.

Command Mode

Privileged EXEC mode

Example

switchxxxxxx# clear access-lists counters te1/0/1

show interfaces access-lists trapped packets

Use the show interfaces access-lists trapped packets Privileged EXEC mode command to display Access List (ACLs) trapped packets.

Syntax

show interfaces access-lists trapped packets [interface-id | port-channel-number |

VLAN]

Parameters

  • interface-id—Specifies an interface ID, the interface ID is an Ethernet port port-channel.
  • port-channel—Specifies a port-channel.
  • VLAN—Specifies a VLAN

Command Mode

Privileged EXEC mode

User Guidelines

This command shows whether packets were trapped from ACE hits with logging enable on an interface.

Examples

Example 1:

switchxxxxxx# show interfaces access-lists trapped packets

Ports/LAGs: te1/0/1-te1/0/3, ch1-ch3, ch4

VLANs: VLAN1, VLAN12-VLAN15

Packets were trapped globally due to lack of resources

Example 2:

switchxxxxxx# show interfaces access-lists trapped packets te1/0/1

Packets were trapped on interface te1/0/1

ip access-list (IP standard)

Use the ip access-list Global Configuration mode command to define an IP standard list. The no format of the command removes the list.

Syntax

ip access-list access-list-name {deny|permit} {src-addr[/src-len] | any} no ip access-list access-list-name

Parameters

  • access-list-name—The name of the Standard IP access list. The name may contain maximum 32 characters.
  • deny/permit—Denies/permits access if the conditions are matched.

– src-addr[/src-len] | any— IP prefix defined as an IP address and length or any. The any value matches all IP addresses. If src-len is not defined, a value of 32 is applied. A value of src-len must be in the interval 1-32.

Default Configuration

No access list is defined.

Command Mode

Global Configuration mode

User Guidelines

Use the ip access-list command to configure IP address filtering. Access lists are configured with permit or deny keywords to either permit or deny an IP address based on a matching condition. An implicit deny is applied to address that does not match any access-list entry.

An access-list entry consists of an IP address and a bit mask. The bit mask is a number from 1 to 32.

Evaluation of an IP address by an access list starts with the first entry of the list and continues down the list until a match is found. When the IP address match is found, the permit or deny statement is applied to that address and the remainder of the list is not evaluated.

Use the no ip access-list command to delete the access list.

In addition to filtering IP traffic on a per port base, a basic IP access control list can be used by RIP (Routing Information Protocol) to filter route updates.

Examples

Example 1 – The following example of a standard access list allows only the three specified networks. Any IP address that does not match the access list statements will be rejected.

switchxxxxxx(config)# ip access-list 1 permit 192.168.34.0/24
switchxxxxxx(config)# ip access-list 1 permit 10.88.0.0/16
switchxxxxxx(config)# ip access-list 1 permit 10.0.0.0/8

 Note: all other access is implicitly denied.

Example 2 – The following example of a standard access list allows access for IP addresses in the range from 10.29.2.64 to 10.29.2.127. All IP addresses not in this range will be rejected.

switchxxxxxx(config)# ip access-list apo permit 10.29.2.64/26

Note: all other access is implicitly denied.

Example 3 – To specify a large number of individual addresses more easily, you can omit the mask length if it is 32. Thus, the following two configuration commands are identical in effect:

switchxxxxxx(config)# ip access-list 2aa permit 10.48.0.3switchxxxxxx(config)# ip access-list 2aa permit 10.48.0.3/32

ipv6 access-list (IP standard)

The ipv6 access-list Global Configuration mode command defines an IPv6 standard list. The no format of the command removes the list.

Syntax

ipv6 access-list access-list-name {deny|permit} {src-addr[/src-len] | any} no ipv6 access-list access-list-name

Parameters

  • access-list-name—The name of the Standard IPv6 access list. The name may contain maximum 32 characters.
  • deny—Denies access if the conditions are matched.
  • permit—Permits access if the conditions are matched.
  • src-addr[/src-len] | any— IPv6 prefix defined as an IPv6 address and length or any. The any value matches to all IPv6 addresses. If the src-len is not defined a value of 128 is applied. A value of src-len must be in interval 1-128.

Default Configuration no access list

Command Mode

Global Configuration mode

User Guidelines

Use the ipv6 access-list command to configure IPv6 address filtering. Access lists are configured with permit or deny keywords to either permit or deny an IPv6 address based on a matching condition. An implicit deny is applied to address that does not match any access-list entry.

An access-list entry consists of an IP address and a bit mask. The bit mask is a number from 1 to 128.

Evaluation of an IPv6 address by an access list starts with the first entry of the list and continues down the list until a match is found. When the IPv6 address match is found, the permit or deny statement is applied to that address and the remainder of the list is not evaluated.

Use the no ipv6 access-list command to delete the access list.

The IPv6 standard access list is used to filter received and sent IPv6 routing information.

Example

The following example of an access list allows only the one specified prefix: Any IPv6 address that does not match the access list statements will be rejected.

switchxxxxxx(config)# ipv6 access-list 1 permit 3001::2/64

Note: all other access implicitly denied.

Was this article helpful?

Yes No

Related Articles

Leave A Comment?