Manoj Reddy's Reference Guide

access-list (IP extended)

To define an extended IP access list, use the extended version of the access-list global configuration command. To remove the access lists, use the no form of this command.

access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit } protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log ]

no access-list access-list-number

Internet Control Message Protocol (ICMP)

access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit }icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log ]

Internet Group Management Protocol (IGMP)

access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit }igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log ]

TCP

access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit }tcp source source-wildcard [operatorport [port]] destination destination-wildcard [operatorport [port]] [established ] [precedence precedence] [tos tos] [log ]

User Datagram Protocol (UDP)

access-list access-list-number [dynamic dynamic-name [timeout minutes]]{deny | permit }udp source source-wildcard [operatorport [port]] destination destination-wildcard [operatorport [port]] [precedence precedence] [tos tos] [log ]

Caution Enhancements to this command are backward compatible; migrating from releases prior to Release 11.1 will convert your access lists automatically. However, releases prior to Release 11.1 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 11.1, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration file before booting these images.

Syntax Description

access-list-number
Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.

dynamic dynamic-name
(Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide .

timeout minutes
(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide .

deny
Denies access if the conditions are matched.

permit
Permits access if the conditions are matched.

protocol
Name or number of an IP protocol. It can be one of the keywords eigrp , gre , icmp , igmp , igrp , ip , ipinip , nos , ospf , tcp , or udp , or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the keyword ip . Some protocols allow further qualifiers described below.

source
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

Use a 32-bit quantity in four-part, dotted-decimal format.
Use the keyword any as an abbreviation for a source andsource-wildcard of 0.0.0.0 255.255.255.255.
Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard
Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.
Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

Use a 32-bit quantity in four-part, dotted-decimal format.
Use the keyword any as an abbreviation for the destinationand destination-wildcard of 0.0.0.0 255.255.255.255.
Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.
Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.
Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."

tos tos
(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."

icmp-type
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code
(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines."

igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."

operator
(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the sourceand source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names are listed in the section "Usage Guidelines." UDP port names can only be used when filtering UDP.

TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the loggingconsole command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

Defaults

An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.

Command Modes

Global configuration

Command History

Release	Modification
10.0	This command and the UDP form of this command were introduced.
10.3	The ICMP, IGMP, and TCP forms of this command were introduced. The following keywords and arguments were added: source source-wildcard destination destination-wildcard precedence precedence icmp-type icm-code icmp-message igmp-type operator port established
11.1	The following keywords and arguments were added: dynamic dynamic-name timeout minutes

Release

Modification

10.0

This command and the UDP form of this command were introduced.

10.3

The ICMP, IGMP, and TCP forms of this command were introduced.

The following keywords and arguments were added:

source
source-wildcard
destination
destination-wildcard
precedence precedence
icmp-type
icm-code
icmp-message
igmp-type
operator
port
established

11.1

The following keywords and arguments were added:

dynamic dynamic-name
timeout minutes

Usage Guidelines

You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.

Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match against the TCP source port, the type of service value, or the packet's precedence.

After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.

The following is a list of precedence names:

critical
flash
flash-override
immediate
internet
network
priority
routine

The following is a list of type of service (TOS) names:

max-reliability
max-throughput
min-delay
min-monetary-cost
normal

The following is a list of ICMP message type names and ICMP message type and code names:

administratively-prohibited
alternate-address
conversion-error
dod-host-prohibited
dod-net-prohibited
echo
echo-reply
general-parameter-problem
host-isolated
host-precedence-unreachable
host-redirect
host-tos-redirect
host-tos-unreachable
host-unknown
host-unreachable
information-reply
information-request
mask-reply
mask-request
mobile-redirect
net-redirect
net-tos-redirect
net-tos-unreachable
net-unreachable
network-unknown
no-room-for-option
option-missing
packet-too-big
parameter-problem
port-unreachable
precedence-unreachable
protocol-unreachable
reassembly-timeout
redirect
router-advertisement
router-solicitation
source-quench
source-route-failed
time-exceeded
timestamp-reply
timestamp-request
traceroute
ttl-exceeded
unreachable

The following is a list of IGMP message names:

dvmrp
host-query
host-report
pim
trace

The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.

bgp
chargen
daytime
discard
domain
echo
finger
ftp
ftp-data
gopher
hostname
irc
klogin
kshell
lpd
nntp
pop2
pop3
smtp
sunrpc
syslog
tacacs-ds
talk
telnet
time
uucp
whois
www

The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.

biff
bootpc
bootps
discard
dns
dnsix
echo
mobile-ip
nameserver
netbios-dgm
netbios-ns
ntp
rip
snmp
snmptrap
sunrpc
syslog
tacacs-ds
talk
tftp
time
who
xdmcp

Examples

In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0, and the mail host's address is 128.88.1.2. Th e keyword established is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection.

access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
interface serial 0
 ip access-group 102 in

The following example also permit Domain Naming System (DNS) packets and ICMP echo and echo reply packets:

access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp any host 128.88.1.2 eq smtp
access-list 102 permit tcp any any eq domain
access-list 102 permit udp any any eq domain
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply

The following examples show how wildcard bits are used to indicate the bits of the prefix or mask that are relevant. They are similar to the bitmasks that are used with normal access lists. Prefix/mask bits corresponding to wildcard bits set to 1 are ignored during comparisons and prefix/mask bits corresponding to wildcard bits set to 0 are used in comparison.

In the following example, permit 192.108.0.0 255.255.0.0 but deny any more specific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0).

access-list 101 permit ip 192.108.0.0 0.0.0.0   255.255.0.0 0.0.0.0access-list 101 deny ip 192.108.0.0 0.0.255.255  255.255.0.0 0.0.255.255

In the following example, permit 131.108.0/24 but deny 131.108/16 and all other subnets of 131.108.0.0.

access-list 101 permit ip 131.108.0.0 0.0.0.0     255.255.255.0 0.0.0.0access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0   0.0.255.255

Related Commands

Command	Description
access-class	Restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list.
access-list (IP standard)	Defines a standard IP access list.
clear access-template	Clears a temporary access list entry from a dynamic access list manually.
distribute-list in (IP)	Filters networks received in updates.
distribute-list out (IP)	Suppresses networks from being advertised in updates.
ip access-group	Controls access to an interface.
ip access-list	Defines an IP access list by name.
ip accounting	Enables IP accounting on an interface.
logging console	Limits messages logged to the console based on severity.
show access-lists	Displays the contents of current IP and rate-limit access lists.
show ip access-list	Displays the contents of all current IP access lists.

Printed for apswan@ctr.ap.nic.in on Wed Mar 5 22:32:57 PST 2003

access-list-number	Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.
dynamic dynamic-name	(Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide .
timeout minutes	(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide .
deny	Denies access if the conditions are matched.
permit	Permits access if the conditions are matched.
protocol	Name or number of an IP protocol. It can be one of the keywords eigrp , gre , icmp , igmp , igrp , ip , ipinip , nos , ospf , tcp , or udp , or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the keyword ip . Some protocols allow further qualifiers described below.
source	Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for a source andsource-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
source-wildcard	Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
destination	Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for the destinationand destination-wildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
destination-wildcard	Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
precedence precedence	(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos	(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."
icmp-type	(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code	(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message	(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines."
igmp-type	(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."
operator	(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the sourceand source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.
port	(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names are listed in the section "Usage Guidelines." UDP port names can only be used when filtering UDP. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established	(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
log	(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the loggingconsole command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.